From 8d1c1e51630c4fc33beab7810673821f7343f5dd Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Wed, 31 Jan 2024 20:26:25 +0400
Subject: [PATCH] Policy Refresh Q2FY24 (#1552)

Co-authored-by: JamJarchitect <53943045+JamJarchitect@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Co-authored-by: Linda Karin Elsie Petersson <38290892+lvlindv@users.noreply.github.com>
Co-authored-by: brsteph <96074545+brsteph@users.noreply.github.com>
Co-authored-by: Arjen Huitema <arjenhuitema@microsoft.com>
---
 docs/wiki/ALZ-Deprecated-Services.md          |    3 +-
 docs/wiki/ALZ-Policies-FAQ.md                 |   26 +-
 docs/wiki/ALZ-Policies.md                     |    9 +-
 docs/wiki/Whats-new.md                        |   39 +-
 .../wiki/media/ALZ Policy Assignments v2.xlsx |  Bin 45285 -> 37411 bytes
 eslzArm/eslz-portal.json                      |  153 +--
 eslzArm/eslzArm.json                          | 1134 +++++++++++++++--
 eslzArm/eslzArm.terraform-sync.param.json     |    2 +-
 eslzArm/eslzArm.test.param.json               |   24 -
 ...IT-ResourceRGLocationPolicyAssignment.json |   54 +
 .../AUDIT-ZoneResilientPolicyAssignment.json  |   78 ++
 ...E-ChangeTrackingVMArcPolicyAssignment.json |  192 +++
 ...DINE-ChangeTrackingVMPolicyAssignment.json |  250 ++++
 ...NE-ChangeTrackingVMSSPolicyAssignment.json |  250 ++++
 .../DINE-MDFCConfigPolicyAssignment.json      |    2 +-
 ...NE-MDFCDefenderSQLAMAPolicyAssignment.json |  252 ++++
 ...rAssignedIdentityVMInsightsAssignment.json |  117 ++
 ...NE-VMHybridMonitoringPolicyAssignment.json |  123 ++
 .../DINE-VMMonitoringPolicyAssignment.json    |  114 +-
 .../DINE-VMSSMonitoringPolicyAssignment.json  |  103 +-
 ...DIFY-AUM-CheckUpdatesPolicyAssignment.json |  156 +++
 ...FY-AUM-VMCheckUpdatesPolicyAssignment.json |  148 +++
 ...bridCheckUpdatesPolicyAssignment.json.json |  148 +++
 .../policyDefinitions/policies.json           |  180 +--
 .../dataCollectionRule-CT.json                |  327 +++++
 .../dataCollectionRule-DefenderSQL.json       |  105 ++
 .../dataCollectionRule-VmInsights.json        |  108 ++
 .../dataCollectionRule.json                   |  108 ++
 .../userAssignedIdentity.json                 |   53 +
 .../logAnalyticsSolutions.json                |   40 +-
 .../Deploy-Diagnostics-MariaDB.json           |    9 +-
 .../Deploy-MDFC-Arc-SQL-DCR-Association.json  |  200 +++
 .../Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json  |  404 ++++++
 .../Deploy-MDFC-SQL-AMA.json                  |  175 +++
 .../Deploy-MDFC-SQL-DefenderSQL-DCR.json      |  463 +++++++
 .../Deploy-MDFC-SQL-DefenderSQL.json          |  240 ++++
 ...serAssignedManagedIdentity-VMInsights.json |  404 ++++++
 .../Deny-PublicPaaSEndpoints.json             |   27 +-
 .../Deploy-AUM-CheckUpdates.json              |  153 +++
 .../Deploy-MDFC-Config.json                   |    9 +-
 .../Deploy-MDFC-DefenderSQL-AMA.json          |  237 ++++
 .../Deploy-Private-DNS-Zones.json             |    6 +-
 .../Enforce-EncryptTransit.json               |   27 +-
 src/templates/policies.bicep                  |    8 +
 44 files changed, 6270 insertions(+), 390 deletions(-)
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/DINE-UserAssignedIdentityVMInsightsAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMCheckUpdatesPolicyAssignment.json
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMHybridCheckUpdatesPolicyAssignment.json.json
 create mode 100644 eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json
 create mode 100644 eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json
 create mode 100644 eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json
 create mode 100644 eslzArm/resourceGroupTemplates/dataCollectionRule.json
 create mode 100644 eslzArm/resourceGroupTemplates/userAssignedIdentity.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json
 create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json
 create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json

diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md
index d58ef3e14..fb4045cd3 100644
--- a/docs/wiki/ALZ-Deprecated-Services.md
+++ b/docs/wiki/ALZ-Deprecated-Services.md
@@ -25,7 +25,8 @@ Policies being deprecated:
 | RDP access from the Internet should be blocked<br>ID: `Deny-RDP-From-Internet` | [`Deny-MgmtPorts-From-Internet`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html)  | Deprecated policy as it is superseded by a more flexible policy                  |
 | Deploy SQL Database Transparent Data Encryption<br>ID: [`Deploy SQL Database Transparent Data Encryption`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-Tde.html) |	`86a912f6-9a06-4e26-b447-11b16ba8659f` | Custom policy replaced by built-in requires less administration overhead |
 | Azure Machine Learning should have disabled public network access<br>ID: [`Deny-MachineLearning-PublicNetworkAccess`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MachineLearning-PublicNetworkAccess.html) | [`438c38d2-3772-465a-a9cc-7a6666a275ce`](https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html) | Custom policy replaced by built-in requires less administration overhead |
-| Public network access should be disabled for MariaDB<br>ID: [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html) | [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) | Custom policy replaced by built-in requires less administration overhead<br>NOTE: US Gov (Fairfax) initiative still points to the deprecated policy as built-in is not yet available. |
+| Public network access should be disabled for MariaDB<br>ID: [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html) | [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) | Deprecating policies for MariaDB see [`ALZ Policy FAQ & Tips`](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies-FAQ.md). |
+| Diagnostic Settings for MariaDB to Log Analytics Workspace <br>ID: [`Deploy-Diagnostics-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Diagnostics-MariaDB.html) | Deprecating due to service retirement | Deprecating policies for MariaDB, see [`ALZ Policy FAQ & Tips`](./ALZ-Policies-FAQ) |
 | Deploy SQL Database Vulnerability Assessments<br>ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix |
 
 ### More Information
diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md
index 68fa677fb..b502f8852 100644
--- a/docs/wiki/ALZ-Policies-FAQ.md
+++ b/docs/wiki/ALZ-Policies-FAQ.md
@@ -4,7 +4,7 @@
 
 There is a lot of change happening for policies in Azure, and by extension ALZ, and we have a number of common issues being raised by our customers and partners. This page is intended to address those issues.
 
-### Diagnostic Settings v2 (May 2023)
+### Diagnostic Settings v2 (December 2023)
 
 There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain.
 
@@ -14,10 +14,23 @@ Check back here for updates, and be sure to bookmark [What's New](https://aka.ms
 
 To view the current list of GitHub issues related to diagnostic settings, please see [this link](https://github.com/Azure/Enterprise-Scale/labels/Area:%20Diagnostic%20Settings).
 
+> **UPDATE** New built-in Diagnostic Settings policies and initiatives will be landing in early CY2024. As a heads-up we will begin deprecating all our custom diagnostic settings policies, and changing our default assignment to leverage the associated built-in initiative for Log Analytics (as the target) - additional options will include targeting Event Hubs or Storage accounts.
+
 ### Azure Monitor Agent (May 2023)
 
 Similarly, as Microsoft Monitor Agent (MMA) is on a deprecation path, Azure Monitor Agent (AMA) is the recommended replacement and there are a number of requests to support AMA specific policies. AMA is currently in preview, and we are working with the product group to ensure that the policies are updated as soon as possible. Some policies are ready, however, the initiative to activate all components is still being worked on.
 
+### Azure Database for MariaDB (Jan 2024)
+
+Azure Database for MariaDB is being deprecated, with the retirement process beginning on January 19, 2024. Due to retirement Azure is phasing out MariaDB policies, aligning with a strategic shift to Azure Database for MySQL - Flexible Server. This includes deprecating Azure Landing Zone (ALZ) custom policies 'Diagnostic Settings (Deploy)' and 'Public Endpoint (Deny)' for MariaDB. These policies are becoming redundant with MariaDB's phase-out:
+
+1. Diagnostic Settings (Deploy) for MariaDB
+2. Public Endpoint (Deny) for MariaDB
+
+**Action for Users:** Users are encouraged to migrate to Azure Database for MySQL - Flexible Server. This migration will involve updating or replacing existing MariaDB-related policies with ones suitable for the MySQL Flexible Server environment.
+
+For more information on Azure Database for MariaDB, its retirement, and the migration process, visit [What's happening to Azure Database for MariaDB?](https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb).
+
 ### Sovereign Clouds (US Gov and China)
 
 Numerous GitHub issues related to sovereign clouds are currently within our scope, and our team is actively endeavoring to resolve these concerns.
@@ -28,6 +41,17 @@ Given our constraints in conducting direct tests, we are dependent on the invalu
 
 To view the current list of GitHub issues related to sovereign clouds, please see [this link](https://github.com/Azure/Enterprise-Scale/labels/Area%3A%20Sovereign).
 
+### Private DNS Zone Issues
+
+There are a number of issues raised related to private DNS zones not functioning correctly, and in some cases this is due to specific services requiring additional configuration to function correctly.
+
+Known services causing issues include:
+
+- VM Guest Configuration ([additional configuration required](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/overview#communicate-over-private-link-in-azure)) - [GitHub Issue](https://github.com/Azure/Enterprise-Scale/issues/1466)
+- Power BI ([more info](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-private-links)) - [GitHub Issue](https://github.com/Azure/Enterprise-Scale/issues/1441)
+
+If you encounter problems with DNS resolution for PaaS services that have Private DNS Zones deployed by ALZ, first verify their necessity. If the services do not require Private Link, or you do not intend to use Private Link for the service, we recommend either disconnecting/unlinking or deleting the private DNS zone from the hub or virtual network for those services. Alternatively, you can follow the specific guidance provided for correctly configuring the resource.
+
 ## Tips & Recommendations
 
 ### Enforcement mode instead of the audit effect
diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md
index 61173955c..aa51c6abe 100644
--- a/docs/wiki/ALZ-Policies.md
+++ b/docs/wiki/ALZ-Policies.md
@@ -50,7 +50,7 @@ The subsequent sections will provide a summary of policy sets and policy set def
 
 > **NOTE**: Although the below sections will define which policy definitions/sets are applied at specific scopes, please remember that policy will inherit within your management group hierarchy.
 
-> <a href=./media/ALZ%20Policy%20Assignments%20v2.xlsx><img src=./media/ef73.jpg width=64 height=64 align=center></a> For convenience, an Excel version of the below information is available [here](./media/ALZ%20Policy%20Assignments%20v2.xlsx) or click the icon (last updated April 2023).
+> <a href=./media/ALZ%20Policy%20Assignments%20v2.xlsx><img src=./media/ef73.jpg width=64 height=64 align=center></a> For convenience, an Excel version of the below information is available [here](./media/ALZ%20Policy%20Assignments%20v2.xlsx) or click the icon (last updated December 2023).
 
 ### Intermediate Root
 
@@ -67,8 +67,8 @@ This management group is a parent to all the other management groups created wit
   
 | **Policy Type**           | **Count** |
 | :---                      |   :---:   |
-| `Policy Definition Sets`  | **10**     |
-| `Policy Definitions`      | **2**     |
+| `Policy Definition Sets`  | **11**     |
+| `Policy Definitions`      | **3**     |
 </td></tr> </table>
 
 The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Intermediate Root Management Group**.
@@ -88,7 +88,8 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 | **Audit-UnusedResourcesCostOptimization** | **Audit-UnusedResourcesCostOptimization** | `Policy Definition Set`, **Custom**     | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.                                                                                                                                                                                                                              | Audit                   |
 | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | `Policy Definition`, **Built-In**     | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields.                                                                                                                                                                                                                         | Deny                   |
 | **Deploy Azure Monitor Baseline Alerts for Service Health** | **Deploy Azure Monitor Baseline Alerts for Service Health** | `Policy Definition Set`, **Custom**     | Deploys service health alerts, action group and alert processing rule. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists                   |
-
+| **Resources should be Zone Resilient** | **Resources should be Zone Resilient** | `Policy Definition Set`, **Built-in**     | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://aka.ms/AZResilience for more info. | Audit                   |
+| **Resource Group and Resource locations should match** | **Resource Group and Resource locations should match** | `Policy Definition`, **Built-in**     | In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains. | Audit                   |
 
 ### Platform
 
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index fdad36449..2ee87ffce 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [🔃 Policy Refresh Q2 FY24](#-policy-refresh-q2-fy24)
   - [January 2024](#january-2024)
   - [December 2023](#december-2023)
   - [November 2023](#november-2023)
@@ -9,12 +10,7 @@
   - [August 2023](#august-2023)
   - [July 2023](#july-2023)
   - [June 2023](#june-2023)
-  - [May 2023](#may-2023)
-  - [April 2023](#april-2023)
-  - [March 2023](#march-2023)
-  - [February 2023](#february-2023)
-  - [January 2023](#january-2023)
-  - [Previous Updates](#november-2022)
+  - [Previous Updates](#may-2023)
 
 ---
 
@@ -42,6 +38,26 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### 🔃 Policy Refresh Q2 FY24
+
+Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some very important initiatives that we feel had to make it into this refresh.
+
+#### Policy
+
+> **IMPORTANT** We've updated the ALZ Policy FAQ with important information about the new Diagnostic Settings v2 policies and initiatives that are will be landing soon. Please read the [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) for more information.
+
+- Added built-in policy to Deploy-MDFC-Config initiative and default assignment to [Setup subscriptions to transition to an alternative vulnerability assessment solution](https://www.azadvertizer.net/azpolicyadvertizer/766e621d-ba95-4e43-a6f2-e945db3d7888.html). This policy will enable the Microsoft Defender for Endpoint Threat Vulnerability solution on all virtual machines in all subscriptions, which is free to all Azure subscribers. This is implemented as the Qualys based solution is retiring on 1 May, 2024. For more information, please see the [Microsoft Defender for Cloud documentation](https://docs.microsoft.com/en-us/azure/defender-for-cloud/how-to-transition-to-built-in).
+  - VM vulnerability scanning will be enabled by default at subscription level as there is no cost and it is best practice.
+
+> **IMPORTANT** Take special note of additional steps, in the docs page listed above, that are required to offboard the legacy Qualys solution from your environment.
+
+- 🎉 Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode.
+- Added new default assignment at the Intermediate Root Management Group for [Resource Group and Resource locations should match](https://www.azadvertizer.net/azpolicyadvertizer/0a914e76-4921-4c19-b460-a2d36003525a.html), which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience.
+- We are deprecating MariaDB custom policies. For more information: [ALZ Policies FAQ](./ALZ-Policies-FAQ) 
+- Fixed a typo in the Private DNS Zones initiative for the policy definition IDs for Databrics (corrected to Databricks). While not a breaking change, it is recommended to redeploy the initiative to ensure the correct policy definition IDs are used if you are using Private DNS Zones for Databricks - specifically if you have configured any exclusions or overrides for the Databricks policy definitions, as these rely on the policy definition ID (which has been updated). You will need to recreate the exclusions or overrides for Databricks if you choose not to redeploy the initiative.
+- Added ['Container Apps environment should disable public network access'](https://www.azadvertizer.net/azpolicyadvertizer/d074ddf8-01a5-4b5e-a2b8-964aed452c0a.html) to ['Deny-PublicPaaSEndpoints'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html)
+- Added ['Container Apps should only be accessible over HTTPS'](https://www.azadvertizer.net/azpolicyadvertizer/0e80e269-43a4-4ae9-b5bc-178126b8a5cb.html) to this ['Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html)
+
 ### January 2024
 
 #### Tooling
@@ -51,12 +67,20 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Added drop down selection option for Azure Private Link Private DNS Zones as part of portal based ALZ deployment experience where you can select to deploy or not to deploy a subset of Private Link Private DNS zones.
 - Updated ALZ policy testing framework on pull request to only test new or changed policies, drastically speeding up the testing process.
 
+#### Documentation
+
+- Updated broken links in [Deploying ALZ ZT Network](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-ALZ-ZTNetwork#azure-landing-zone-portal-accelerator-deployment-with-zero-trust-network-principles)
+
 ### December 2023
 
 #### Tooling
 
 - Added a new policy/initiative submission form template for GitHub Issues. This will help us to better understand the policy/initiative you are submitting and will help us to review and approve the submission faster. Please use this template when submitting new policies/initiatives to the ALZ GitHub Issues page.
 
+#### Docs
+
+- Added new section to the ALZ Wiki FAQ to provide guidance around Private DNS Zone/Privatelink issues - [read here](ALZ-Policies-FAQ.md#private-dns-zone-issues).
+
 #### Other
 
 - December 6th External Community Call recording and slides published to [aka.ms/alz/community](https://aka.ms/alz/community)
@@ -66,8 +90,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 #### Tooling
 
 - Added virtual hub routing preference support to Portal Accelerator for scenarios where you need to influence routing decisions in virtual hub router towards on-premises. For existing ALZ customers please visit [Configure virtual hub routing preference](https://learn.microsoft.com/azure/virtual-wan/howto-virtual-hub-routing-preference) for details on how to configure virtual hub routing preference settings.
-- Added virtual hub capacity option to Portal Accelerator which provides an option to select the number of routing infrastracture units. Please visit [Virtual hub capacity](https://learn.microsoft.com/azure/virtual-wan/hub-settings#capacity) for more details on Azure vWAN Virtual Hub Capacity configuration.
+- Added virtual hub capacity option to Portal Accelerator which provides an option to select the number of routing infrastructure units. Please visit [Virtual hub capacity](https://learn.microsoft.com/azure/virtual-wan/hub-settings#capacity) for more details on Azure vWAN Virtual Hub Capacity configuration.
 - Fixed a bug in the portal accelerator experience when deploying with single platform subscription and selecting virtual WAN networking topology - Invalid Template error.
+- Updated the ALZ Portal Accelerator and default assignments for Microsoft Defender for Cloud (MDFC) VM Vulnerability Assessment provider to default to use the PG recommended Microsoft Defender for Endpoint Threat/Vulnerability Management (mdeTVM) provider, instead of the Qualys provider.
 
 #### Docs
 
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index d58443c27bcd2d2f6c9a54d4fa11bfdf63ce2efe..80fef44bf4249ed7f9da16f981321d326e50d885 100644
GIT binary patch
delta 16686
zcmZ9zWk4Ol(k;4i4esvl?(XgZg1fsDGPwK3J-E9QEO>AaF2SAP79Qu^`|fw&>mM^y
z?Oolqx@M-={tjeOF(j^<A`~<h2o?kn0)fauX046|vk)MVU;{1%BrvGGX16AW7QlK-
zI@p6_pNpkHpLR2Ygyn}o71UGPLTP*2-N31G-g{|to`HcyD-qr!C)edZmC4z~8B<l$
zG$c&L)&F_7Fee7`D{=F+BlU$-@5E*dq`Ys9!<AYTaY4I&&$pKL4e7q%B4M3E%4pK!
z!A_{MdSrB=Ixcd4Y2Y<eA78s$hk11T={2`Hg!YQ7h(wYJH@`rgP;uyx`F)d751%zU
z;Uz#=n_4S&X(3v-{KvyH`WO>eT!naq-ygir!3;6mGtlS?2hBk2F>E9sJC<AGjd$oh
zdWCEE(GNBvaNjQ9cQ{&w_=zzSYl<Gzt~|BHI-&DH@(bE@HUR(AP>aH?B>%mlQ_U;p
zoFDejPN7d6OH&T^$0^sSovK%dlXN$yyAu-6uN+r$#Od$yaMy33%>4P9QMPHS_~xd-
zLlyuwAihHr;r7$@r2RC@w(*&!z{w{Km)@Mz@IJ#bG}q2c*%=a4417MLt?%}11*Xr}
z*|j_8dy?!LP|9rwmtqQx8h^9(gWgWEuOQJ;P`kUUYb3bV58St!g@@%2GuhK~4wZwi
zk43mnMEr1!wN5E1QLD!ONr-;pK5AHh>CCD40ky}G@NeH3JnM<wL<(&N1(5a2iJn7&
zK%EF65bDRY`#7+AJG<GNIXm04_&7RLYp*%|;rW>L89*%z^inLhFxiOaPyR)NSGtic
zhwB&z7FoZLnIgG7+2f4tH*l%eW3|Du?f@0BkhrjunaNpHm2g_QkcWVqvM5Y!sNX4b
z61(4QbbGsXsYyA*P3{Wh{z+aeF6%}64xGKe&M!t^m*JbM5`Y#8%WyS#zS~AulVRhe
zSCey}P2ktnLxWkBW?h2a)zK)b=9-zuc^Q@L147XLy0iWMs=|rU<e-<N?<B@Y-vIqw
zSP=L7yY>pd3-*EP`0%LiB4{u+O{=H5pi{?k=dRF-Xj;L=KTZg6oZLAa5N$N6_vY<i
z8q>y}<im7eVTD*-PZYT()uWMcmZ%qr>-Uwb9UJ4+=3j5x{U@mR<j?dD3a=)WktD0p
zVI+sX%(dCf%dUB-J7}gtB|Nrkw-x!LU|G4)f`OE|r<MGp%)8Hm@vl`7Yj%HfTD`q@
z;`yl+z<P)d2jvEkrY2tzC~{b|Kvy_cyq8z&pPBZH4X$RqwiM@xod<^Y5#zby>}KMb
z>e(n7-QRNMyejOM?K>zD(9n2)is;0`U~o+aF{8AS4I73la*XNG&@etr(PEF$=Mf!a
z=Hm<iYIIXtflBbd!XFQw)<6&d$%PhQvO&n<=_4$MYXp!_&YBot@;mLE8=8cFUf>UT
zR*xS^G$d_f+-NJtz_|<*rI@YVV}&rXKtnd)w?jt0fj2gDANm-_U)Ub1-sHWsU)p@S
z*Ti+&i=Tpqt6JVT7hWgp*Ip`#bSBS(l2iF2B{Nr_la~0u+<6Qj2vMJ;4?yZxc|9Z@
zG#(wRY_9<?Evlg`hy@NsV$2fQbaujT+%BCJq#X^WMdjx0k{0+O?b&$ZBk>UphsCaF
zZ7CC!DvqQuPUqE&HTOl?qAlo*w)ch75;M{@S;aF<){jG81qoG4Rl%s!LRz11PKoG^
z-(f5Uqg?+s`rkHgFqq3y)4J<}4Hn7K1RGm#OHYBuT9z_;?G|kFC~I9b?Yx4mE@IwD
zCGne_^17tW_bbD6kykf#!-A{bHY8NTOj+DusjcK7!bbGvg@wwx7$!lry)pew_?0O&
zH>}1W1I80w!{vI65zh4jd%~d8-@`L;=YywIt{hh>B#YLpucBGNm#3Wz|4Ln)jB)??
zCR(8Uo;?$lOo@S@5;5qKeI*DNnF)@rlV0HyuBW&F)E4&-KF=R0(GgMUB%=%uhnEiB
zK`TAV^#&5t8t0WQlH8?hi*LJMo9ZWDvW+m~&G$#|&o7C8KwT=j9qiohOoR+fw>`93
z=XJ|plqDQ@L=>%w6XgOT1PMi~4`ZZVj1wpT@)6CBor9&_g~i-EA()K@3sD@If0X0{
z_phOw`j8kQ0Q&(p<nYUow}@^3KU5o?94EINh}}-aXLdyUA;Vtv3yx0@oI%`3SeF=X
z>~cRZU&vNg&wD)y1A+&J3Hs;wOwsWyV}`YYyYo@1m}3%)=`HL(!7o8I27CkB{KIsT
zdqX|vP4~2s5p^&<r*n!b#T8>6;f6meoHkRDc1C+^0J)YhLW;?sya8@qk=fYzFp~>i
zpLfkI-^2G7M?D@yqv}o@HjjbeDx~B^($2fWIc>4vq3ewOPeDc_B$?N1T&MiDquvNI
z$>e(jnc;YOX%})hg<}WBPmLF`+@Ltaj?zTbR5GPbHYFF8?2<#QV&5Dvto?C;59Q%9
zbbM15Zn0#-fvFDO$(P>LT2X?C$K^a#9PNKl|J4<QPm{_d9th+a3Ra=P2aBM<0c-KA
zY-r(^jCaHoTi`)240wtzGjBalf9*RTM<OU3c_qiDz{(!~ktvAcR0drHJTTwZgy@Z6
z(~G$wOq~Q_MHb`^n@o^RJA-8t%S^)MbP)n#tflf8!(t?4Zm9T!H>v0Zih}c`3_Ky|
zJ3Gv(ZdbNU(hi|ICuU`?&GwW6aGa(0ShbwAV%x9qu4X7r72i~D)hNzvT3KgWzNp}K
zUHsUC6X!^-uQeg@W<}{;TDJH~U@&>>)l2BAeF<tvNo}S@l@^~YV?C9zZLJo2K&Op`
zll?>rX}nr?y}V^nNxl55JoQr$Q44o(YQC)R;G>vd)jI>S3I(%K3E?(AAien+Lj?|p
zf8a>abOq#oJ~!XZgmeqXI+r10;UhKg%b`FwC5y^WT{L7So=-BL!gO$L?7_=Ot@OJB
zu~`?}CcZ3RGq$iRlXpgy9_7G{Shw|+hM~VEkO~iGDqpdr)#(qCK{SNzD{O?t`mfK|
zbd`vsWQ(s(V6=2H0uF;(;KgBjbJo~HEgF06^S!!uuZ1lyOjf9EmIc@~`q|%jaR;1u
z8W)zF%ofDLN2okL4`w5JMY0TADA}uo6nTYh@i;^~8;P%pPg5Qyk9R-$J)D<AX^Of<
zSarhEbvY>pQqBWi&tT9Y&{MMy?diiRO>&ZXAt!I?z|h@8M-oE-BZoAG)X>p)@R0%N
z*N)N_#1Lk(a#uAqc;3j7-HC*7keBLpP-e!`81W<KSq7pDKg`9>@VE2V!lQRSZTTVL
zbmL&qAgJt~{Un&VeE*GviZXe$C$tfR$%ed4Oy_(Fd~DM1@Bh8z<m@;R^5TRU4_!e~
z?M}!wBJqj|14<T?U+^|TZ}X**O&j;;-o>WpJN(8&NN=l7SCiBwMT(pLqt^qcb;iB_
zMyEydM1{Y;-}h!;if)yzWiN~70YL8iX<2jT`}B0%#`)wpU<`bHIUjGk>=l0J<Lu4*
zXZ>R8?SJ!`AkX;Q^Yqr!>FN0L)*-O@^~hON_(x7K@a7ing~Im!a{5{ad|MUz`g$`z
zFp@4IB#>lh=22J`btYwunV*Yiw;O}Gmc_@{P!&Z>d(Z9av0F=18rI(1?fWu3_x473
z<EnG4T&b6?Pzk143(y45n_GX{lJQ9Zbk1j^s2bxOsh}w4zQIa0zd=Su`h%nv0wAUK
zgjwW(-haE&Tejk@hg;Y68^zw|42B1IrHbAUJGDuSWg{%7yHcy;w8T+K30XnvmPE%~
z<~CGM!zg{_Tv#&mR;J-CJpRf#VYbnna2+(ZDhY--BT-bO=Fn0i(y&q`5K>@Rw6SX_
zvdUP>TqdXy7(H5L+WB0Z;)-z`5BZG%cWyyI*jo>eR^X{eM$95<ES?G*w$Nq@RJevr
z);SF-#BU-?Wy@kin!~c%+^v((m^V-NbS(sv9{-kUq%1{}Qa2<z-Y@$GlKKWx4IE`X
zZzr=i^m{5%Mw(l&R7K!Sx45D4Y@ibSZySCamaB4JgQ2d2JotEWn6PNrAAPF;{se3N
zlvDXA@zKN~v+0Ew>4E1}A<O?7`iVyj0vkS_;V&X~OB*UZGnBp~8mP$9O;^){A3k+a
zo)sB5rSww<y4id$I=^yAI+@}yE0#rQ`YcSe2xOHA2;^}Jq1YHcg(VH0w6kejmc|S<
zvnkt7Z5(voA>VVBDCQCZWq_j%=y<<P0E6;H9o8x_V3(7P25ksE7qyQ{J976ZUNhtF
z7tc|eW=5;j2}%wXVl$8Ju^p?zo*aRPX9ypxWuO5So^p&0k<w?rK(EdhwSruJsPWjP
z7=yN1*k&oaQ;!nv#MMm@nY`#VUJ!?P=Wld#0de=<`Tcm2OpAU1b4vd-6jEEDLXZQy
zyarPbMsllqM`Mi<M0LK0nSf3Qwf6*V_~RIQLPe(;3i;qkDrjMfKIr6Y^4(VkwJ)@8
zpRz0^?XqD5i*wJFW~vxd=#woq`vm&%D||sSx#!9jk>!9I<RU{RH9<2PhA({5M#VXK
zj^r}6iS@k-^e+&gXDk(KiJ1Xnl>F<kM?#l)EEObmWsbmwyW-5PQ)V@zRRA>7Z**4~
zJ{3hVg*9Jhp&UQ;kB9M*89G}+^Fbn7M(#<#RKw&XrJ|FJVn$mzN-(RXs&(qCS}MH5
zFP?AmcIean#akUWS~Hbfc&ehu4dM{%;fMJOOEjV2hPnqZ%$lrnr_S1?Qn8moc2_hv
zKHH~`x<q23Z~CEfM2tug|LF8Ur^B>(!SqG+Q-Pb%=@uYxu(#xwZoIG!TKeSFmb6pK
zvA*`R?c~9(q}Giz`C%tSt0ZCYcO{%_=or=r!FnK+xU0it$kV9mDZ*~~?~$L?ga(U#
z3`$Kirz*6-=7~78LgbD6-IN6Z#Qd@C*vBM^wQ{4ITUU)g{p)1Dymi<U3p(>jg*;x;
zg4E^?&D?^qTS6n|M^74Xc7AR9+ai=_zHH{y;!YvclZqUBuH2XLMasMa0VTFW8cTL<
z?WfjQv51f9>X;OZ6jkPr@7{4a#{!u2pnVoMRdP2#JqVUFlfoODEKzUQa><j!7Dm0`
z!NTuzV~?B!kCYUh^I%)!FHx^P8whk04z@fc2wceBv*xd4GF5P9%|3J!0+|cJnTYc$
zG>v4C+D3<t?e<bNog~I$1<kl0Yli{G0G?>#;?0NbCYmkrxEZ?A5dO<uFpHEd%SYXp
z1BL*d^@2Fz^q=LfbPjyHbOa|MT?mMq25MA1MH&+a>%WYj><U%)-CMv>M3HiL+sy6u
zd$Ig}hS_6%?J^MWLBkrNsCacGU#q)UeW|DX`sb<57?i$Ha*$GFC-ZLCqH`VVd&L=o
zet~@HFM^USF+P>H9ow)m4v{C4NRuiSbov2_gSm(cEJI^JBo+8!%b#&5sDYtwau3BX
zz>_qRJ=26q_-7!W|C3XGWCM&dew6~vS_)2SuF{^66c6>~tRZDPZGoPs7sSU{6-l5u
zQf=6(NQnNP1VQTE)r-ZQkozDM(n3*?Ej)GjE%Sa4Y&aqR00*Uyp-mPwH2aas03T}P
z%0$#m-OW-8v!&4lN*-Lk)s`f^VEWDb7W4Tf;NdNgj{H^JWFxI1F<}~~GSL~4Je;pI
zH(eswh+5J#T_s3*K<iLl_kTE#+MCGDGZG`R<X~gLXov9gPaU4yN5R8I5J}IgO6N<J
z^HVNib4(ibj%4!MJnWL0TCbo4Hrq0hW9|1`g_2B|JO@pg7zb>pPMUG7YG%9h^sq{6
zW>b44FDE<fp>e4eyaM?iP6R-I2%dCn(I;eCF=oHsQlPUZH;w$%BCv%q%4n6b;D=_o
z+FWy5hG&tL>q$U6G*V3qbdB3)2(IyDBORx#XK7Xqe)5o?wnb{jp<g)$jDt3{^obFc
z>%x+b(R^8v37pTter%A<sKk_Nu%n)czft%ysKIc5VWu+|k&;T>bTdv;bfA<iWgK%y
zeIm~kHhukh_|4M|UU<M!v+nvPUx%RV&CD74LvIUkV4Ff#e^xh*q1YkK8~q*i$Z&6Z
zOSA0rJnCouU4D-CVQ6`PvPjmc6sN`?2-q8p1W3KO!zszeu2IY8Rt*c`;=UM#fIfc^
zjbrsh2#e8o<RpWNzDc;8Bu6!fO9&{vk~Zi{9=fhL0}Ad`f>D3?9~~awYG;=r!44tO
zV)$g3h<J+hL`vx*flMWAi8>fCm0@!?tB@^W6i^iPlAmTK?5QCDC4$>N9!SgJ1$Szh
z4I#6$VO$A2Eb?M6qac>8#}9<1ZzQKsfH8=KxWG7)ANdbB<Y_>VLc(db!IO1K$p_u0
z{L?L1^<L!7MqI!-QD8KK*G2F1xZkz<0M`{;O!hPl6J3u^d3Cb$LYt*-%LNX7YOT6F
z^{53QM}pd0N?>YwF?+!vbd<D6T&`;aJ_S8lR6#P99wwdob|?f2`mbR$WYpdWM)_vR
zZAm6%i{^>KXS2YIjnu+5glAbhy5ydgL{~m-1{YjNxOu`oXg!r#lQhk5gcQebZ56Rg
zI?*{%qbxAzU5wJgJ)Qed;*Dw6fnT!`busxeNQ5Bv_yOsrC2$#rjiD-4x3%cU4z!S(
zP62y#V@TgFP@iOc2%jVn#vxXV6<caWs{EyHmjv`T7*gb2hj|5~oP}-y%>1Dt4mt{c
zX<lrHd`KI{89wL&<U~enHaZu!?q0~mL##=C<205aEA=g7S<a9`F~^dHg7!yi0oYD}
zthZPe2!sWXK+%JtTt(nASRoG3O!6Qn*!w<gQK6}OE{RXHtj^vJ10uywoBm^xn&+uy
zVuXp5!0_bqiL{~3tBh*ho5w-^L8}@`w6kA7yC8i=OYT{RRy$ctjuguz!(_NBBd3dJ
z$%YGbXc-XWC^8SS%iU|^#6H^ce181bCh`t^d`0@-{^<{WTW7*C>{rI{z`eDmXOWyc
zSm6!MDBjaJ^h3~n47+T?V6_zD-l!4(D4-f=p-AZ(sz%e2NFLcZN$=HLRJr+5+e4(Y
zxa%-_ihH`=D}wmCh?+&({pk62;x^kY@{G#L4G!C(@>DCPdeHKrFK1HBEL;K#k<WT%
zN45ZOKhLCP>zIAk?6GNH=VuwBZrxsjEvL8Afo$)X$sxUfyXPYhJQkk1_yo~_=iA1A
z2HvDMe!5?$PSeMQh?etNb*y9V?HUY_V?H7$vbzA+oWDaWC()aw3>pT^FGFMF^E<C+
zByOkDF4(@M7!?{)h!if-J;0TEHW{P(rtCkMnydntzfgtBG0zqqtH?24lA^ULKO055
z2#ke7Sqx3}Op<>nQ&((r!Q?~Rnj4lx?_r}h&D=qE3L$%Jj(1-AsS?`@SLk@{rJRpF
z)$$lvjoUq-^_p=&Umz+-4+V+xF=+i%hGyoIkW2ga?`RTQv~~wgwhr)Qb<ZZ8TUF2y
z_TGzIrV72*X)bN5{1(}Js~xNDF_^>N=PU$+&94`Rs>N<ff!TEEO#A4H8`0<7vadiO
z?wHF=f57=P>|bfPG;uO~@A=WBwRqYu9gAj(IRW<J1iGXF0{(Hve$xKwl|86!j=Xya
znq&Hu+0`*6hA$E2J3tn}yhUY+ZT3=Yt?8TOLMxNhm?njKaiE5#544`TM$i`ip$1~`
zbe_Ni=0bb0v&^}6y7Y$puWIS_R!>z=xYth2R$F~q!4A)*>OBEATKI@xa?*9>Xkk({
z^3rB=w9|7;c0me0U$8ew$_>+2u4FLm)iT14xKz4N(XYCj0)S<ky1P5Q_lEK8d(SR`
z-ty(Ah)KJrm*>}ARO=2>BjeAzTVq#(>O0d0!ozjFI(uFI|9Cf{fd-^t)K}_(<wwz4
z(k`Q%oPRXa*lp9fTyQwd4-+y9>IMApR%3coNe2_@tLznwf`C0;Ra;wl`^$l@qOY&?
zB@1D5JMSe)DFA716`PY>s01(d2Qra7B1JmbWv~0@21ZUvurFisWyc>_DZrlZ#Tht0
zaVyB@Su@m0Er~~li*lzd*~NRZB+IGcYKT;SH2X(Z){-ZhiLGQ8=S^(?^|Jg@h-0Qm
znLi!Iv$4W|rM}kv!1oV;3r)Jd^9Lw9eC~KW6oMJ_1Eec%kD}!jQ}m)x9Hr@99jm_<
zFCl7G3bJ^U`DwAdEOt(6v8>%K4qZKXcCRyqGwbxHvgqk0(sO4-CLirtrpn<cXsxmp
zD{vFqxvefff_-O&m!gW_-sRDis0VZnh5q^|twK+s&&HQDZc<%nq8}!y_(K95P+4T2
zwbB|M0C&qu$WJcHOfC&g*01L!lRr7{uL9$+sDFxMDvDKy!kra1V|nh!T5sBx9hh!W
zKC04)VE&E{GUXT%cjn57nM*ri!bgBw=-^ej|3~idskKz^cuWwY7F|<3%quDb7xs?s
zFUKUVB7e>PSJF->j->~MAnZ1y#JL*i`C~#dH(-K&7XQoIA+vZF*&`XMaj=(PtzR)T
z|CgXFoaCU3RQ5!|UTSSD8X0i4>&+|=w#`@4p3m7m>KY;2+`@&Q3=*>ZirpM({f5@6
zZ@ijaVev6#(g+gQI<c^#e`5HU92aYqnB6dGZ`x13po!QD>^FrFxG<YMP-ueP;m)=L
zlmM=@hiRopFY&9Lcpu`}tMkY8B)fPicZo+cWNkeyx=$#{5~<~=LE;!N+TzkBgBn@s
z#cq|yG9}m9l}Kvck^f3ZOVnktXA4wim0^j-ZR~U9+(hI{1N6@%p}VIH|3H`3hLC8K
z&zK;f5e(y%dRVP;on#&_qQHx+&*p?kuK_Iiug@K?rp>94O1dE}j5e#Y{t9f$+d^zb
zMGPJE%~v<eJgJRE60Zj~e`>~z0+IZ;La?oC#@f2cmJlmCbvib;7Fw+}!#=cUg1VLL
z_3dJ*<$JI{p{pv27W|J-kQ1DEu?p@k69q_Wg}&o1zu1Prde@<#Ykl7KJOZ;#GGJ|$
zWO>*D=~UHizWK*-uP)lOx1%7L4+?wJIBoBLY7-ylbiz=Q=`Tpjb;F_%(#%h(O7xZ=
z^`-fKq1O$^p+x)hpP^wdYx>5JT?0|8lF=}jal1wn`xeh^Nkcv8q>%3jkL)(nZ@U_}
zD=U+dAR484+b!$;!YZ;PS$aDU_&@u$OmLPXO?HQ*8`&Kp!hYUBDvmU%tS)YvO1qgm
zFcK9=<jtx%CwHg1<4M@$${^B^(pb}Fc0X+7c>1ni&i8e!7|9GqHUQ@l7Q75**-?~L
zuQxeZ{Mr5M)uMq-bm+>Fa&2j8L2gT|B*_1#)oqGrjo{Wp>osqu=}(JTphdz5nZsp)
zPD243>!(duN<)2e&~)U}PGFV*iy7(WnZ>yhGcpmbhz8^WZF?-SiF-L&Im?tYT|cxJ
z#6@8Vx0d0J6|(85Ha4uh3Z4BYR<@E%=cswt39#+WYln5ez=8f%`4nCIUMVHih#%It
z-cL@;4%@bH4j1<t_@wqY0G`K%^shcF#vCI8=7hG_CWn@$I&0np*`a9v=kYz&^t;Y4
z%P~!#-l&b=ntFuR{wgQ8h4*t&#c`4#7=-RM<}fhF#fHOe=jYQXcdgnK5}D;)WBWW_
zTPxsO-98P3s3d)XQC9^S79bT(@tr~qdR)yyk6#6lT;3M!2f@Z^0zWQKEtjjmZTwZP
z{51-xOH3-Q7bv~2fONpE(r@OXBPFa#SlSb{9>HT%^t@i+&(&Qq3u&6iRcRaP327{p
zy|nIA0FJE|vr`KDMXn1iSsmDJLI9ClZJB}QYJT`fLYaEjrtmAL{HOE{vjSG-Ls{g6
zc{k2AFNWW#*aL@>wt%?O6^I;{Ec};UHHpEt^I;7=_qm`OsqAEPPK=6W1`M;)%2I|E
z`w;zd;f>*%Sz@~-&LbZ3JaQ`J2Ko}0f<GIce36VG?y&eeWd(0q)R$~e50v|x>#e*T
z)JvUHQ^`d?PZj4hyvKpxTW)h^h}hu=TKt1-h%gK=giz2ccmTz#S=oW~-%*K+?TbIf
zhD~L}JI@>h<lCT_(VfqY@XD+VswO9umDQX-C#OkdtnW}Rz=AtprF)|G0VY=7j+ZZ+
z)hs(U&J?9@KsO%FVa&9ysV*~VUOOg_7D~4of^O~=i~1>rk=r;mV~E7)#K@hE`Bp$^
zz&e$cU5qP&B+vl~1fPceq_$8DFgI<JqqS?{zFiQwG7$%{-9X>dsSBjQ683jSGN+<k
zpku~vRr$bOgpv2Kw$j*=Q%?p{U(9T2hoZ(S7@}F}%xSTd>P|%5@+Ef)o3tbZ{bde=
zieb1y9QK-Aw4qbH64WH?DY~}_4{LGF+Z*#|#CpMl2TXkOVm1@&@H4&*JMtFz4f;Y+
zBSMzHEx{Wj4N3$$c<I*S|DlK*a8cHO{we(>vyWtK)HYKGj)d{NFDV$T@W+H+W<rz=
z?~hu7?iW{B+S=f7s_e_KuMEQrK~xregt*_+Xm3U8L|Il}4-N7^m7z+mMbH^&#~%uz
z5c7qbp#U8bCD}hyb({JvUXo@{Q<mch9?^bW;BdA!q;(ASESa^h7J5-P>Go)ZmdkAP
z@gP3w@+VtrB=+|!a@P6Es_wH8qEeAMllRu7-^q(ikJrRUCYH153_fS8{h`s}cJh{r
zCBqzmuE8Q7dwLc+sS@miOO9y^-16uXaPJAzmI2BO3kyM};fB>??8rmx8kl2L5X0AU
zf*qfEP!`Z<e?AX)<mrmm#+&+ny5;)AB+epj?Q7qa%|GP9P8n!RRSuR2j0jXTA0<R?
z<wU;i#6^}DFn$~spV<hyTtriUsBaC;I^6Ly_Z};{!k5|hg;%W(hwpA-r}6MGna9&o
z&;o3+u|v%3YI!%A%mqyU`kRXrt3FV%qIo)>-i?`c__}t7yAK-0lm7AJJ~%iu^}P0b
zMIhg*4mb7uceiL;+x3IQ`1{dq6*k_+B+{8#{N;-XYC0~f&M6GVewN=4kxmd)s1{Kv
z-2TYM<R8_lJJ#&^oQTVJxc@l)P@s<k1Ymv|B(R1EB?L#4mk1gOBIEr(<YX)m2wn@E
zXg~z4xvj}12W&+?MId&^5}Tgv-j{TZ+(T0<v=&lln*Z|hP(71Gr%Sd80ujQ<mG)Tm
zTJ}1qSYcm)^t9}S2pd?>ae_Mcg;lL~CbxQ-C0(m9hzDoax{KZhguhd;-iO%y^SZpb
zTiG5F{;rAt#1Tt*=jB{;yScUXw%@yHlZyz%#@()UOJ~)76XBcLlwdB|O!&<36RelR
zWEm|AehM<8R(SUNuGNW*nny~~BcS_>Y!%ZeNBVfJd$}&*UJ3^Wus9if{rfsJ-tFz|
zadn~m>{RZ_mXOAvFf=%DwmY`}Qs#^@=k1Jg6t<-J*{vcgLDmjON<3OKx^`swRNEdH
zl`oz5@pZ|8F(r^XM`%fhX3T1MI`ZJrG+KSV3rPGnT3YCq(M0CJEbxQ$*+iCLy-Lae
zdREyz>xNEyOyem?DfJO+q{dUm4tv<%72ij``i~xiiwE{o1_}{6t!d5^nLiiOfgVLy
zE1=@>6TC(e&E@T3Myshm%7%3;5j76Xu0+i+z-$~mXU=4{p=mg8&LavUQ;4>IdQ}R?
z%Uy@f`)RUoDW6ztJ700DF#+d_b+X2wqQS1XTcXDjHzX~DJ0KT+%5~M;9s?%qPBw~Q
zLJOO+{_N`a%sf-!bbbGN;vr_uCQCSCx?Q6<eEwd$rnHrLwj1>$9j5MqGPM=3Se@X1
zEcVEu&LfD0<aZt?Z^|Z-ZW!(#8k{o>q!@T%QhyAyT@g6EqnI%pDx-8l$d{JoM6#zS
zlorBtYk?%zwK)3`wSgxyNM-2FaScPoxh0P`O^#`@q)~#<09`jWigIDP^o^F&4I^b_
zq040`N&p3!KW>jJ)MrF3i7yCnku*ah_`)t6l&c{>E~F>(J3Zdi0#`A!c_F)IvcS=)
z_PaJeXSTZuX2)=}RR4mVL%&N>CSjsgFjBFYJdqtb)93FL{tC2ow~XpWKL+bWnsg-z
zOgK`vTnEh_cJKM=%b&O2$w>=#p!ed|jZdI_6Ku=I1NtdwB#E0O=4B>;VFGJ*sUm7i
zoYD@Zw8K^0-r>wEGNEsQ0i`<xm`R@lt0lt6aq|)II!a>q45C0%HfSI?REs_O8F_PZ
zyeJUn?NvQ>^uPq_oOSSfMMi?P8I}zOa<8UW1lXKb@7(gzOVV_IZo;GlJo%PBo;LT;
zqZt0eBd5{Wqj(&|WU>rkPF$r(1?HWk{teaxWzGzv5=t~#=h3>hQfP`Yzfv?%@S+Fj
zi-w7f5-P0~y;2b~X7&Nz<%td9+?~Aqv-0n(=_Ne^?7I?^C2crR4N=t>ONAkfX}{9L
ze?{6+RU@9=J54;#2`aM=u;_7CB4-Pc4BW#ARX*!Mb2fwz1SbMB4WkVfRlXDfmgTGk
z^|zEc5Uo(Q{xWqja^kh4;(e3Vdg}{qTGCh<bJJ7+mXR1q%)Dtb{VwFk@|<9yI0}#|
zeAyMkpv65LmRKLsJBpz{Xvb|+thwen%Ly(iIa<=}T)X_*k)uRn?Dzb1K!Dk|+x#Xx
z<SmIBL@2FTYzkbEtD_I-(P}CUun^rGVWGb!TQS82nzviFZxXlRS*s!7|1C(WNuSLz
zW8LSe)PZFQn`j*MX7G<g8fJ|<tj(+tFL%<WyCU_ObV729iiQ%zPaG*O4avoi;3#pZ
z>UgLMF}*2!U4(LA4<@zLv+YS)!wxMbl0@nrZLv-j8vweovJi(j&+y}Rqwun~<UiBq
zFw-y_+ZeN#l0R?`VYtPAMWf$$B(kE>-%AWzis|OV;*dTA%wO-)!XAe3hd}I*TVx!1
zboY12J<4#lj2hQ(cq{bzh|W(9%dODqauL?2G^s42@l(^^h-a>ILw8-vJ45)0QiglJ
zJi#U&iUUckccq?hQv~cK6N!}BIbwb}li;|k0);5#q(Op~J)#2mEPss*zjBi~VQ8=V
zv+h|)9?(1h<@$A0q*GZ0hta07sMUG(P?Dz|scAYO`fxriBVNnmM+F?z)FYfmhc=Hi
z1MSp^vW^y~gpypQq~|&xDct*5BBZ}1%HT~wJ)o@RP%v~oUu6tu)p)Zw^U&|N{MBjR
zmgp$V1&#*}B9h$}$u}lZ%m8080&U_z=aN3llME%dSAk4E4+hD_2;JKDay>GY=5k0P
zjByUvJ`g&^iU-P^%9Qsv)wJcSW_GQVq<c=CoLT+vR4;ecu9?1|;*z%PpHkM0h<*CL
z(7?W4IEgz*F>;0~f)>Mci#QpY751oQN}QD0iT_ivc!7y9ql4Riih~e`Ko=j3I2LWI
z7bwE=>Qf_KqxYoHqBsiVn&l2kqw%L3i<{rW90BTk?3z}x?tcwOkNdWfi1H)v3DLH_
z0;TR@xY{0Z)e+H!)Sz7h*db>BjV9J>{sc_fBFFY1L7eWfO=zPEQ55?UZUnw#S>Lr$
z?l7a63c}otNb|X*zl(}mn^fgBK4g}l2LS`ukGFPQedw^iulvyLpH)&^O!S;)Ab%EG
z^@$<H91@m8wu;K0_36thS{HG%m1NvGp@Y`6V`HA~<PlzXZWBytd~#QlL2h`Qvj9!j
z3nS5_gfA~N7so<hB<)CG4`eky{?^dyr|kY9+l~aMKRzNdWO5l)Do2C;#1#j-PNU!H
z8c&n*Ahr*%XjI^H8+SDN@%Bp7Vsp(5wW%pEx+;H7)PJElhGo;s{MP$ML0=dd=U0M+
zfSh|)c0n|S&~aFy{p&OYGccHP?+}RX;`D%rvvH5&gEYF`dG-^6n7YwpT%~!B3b9QL
z;^4l*F^%S~(!5en;xyrx--gWCdCCubkD&s|!=cG%{)(1n%N`9QPq8O(z6t%Y2MR^x
z{|C}UNejA+prfOE{CZA%Z3olAHUu5_2sQg|g8qskx$zy%K~JD4BkFsbXFos+59^uS
zLi3(OHPB&YqDh6+PWF=k4{NB{q1Qq)HPC50lKB%nt5ge;W#0jQRGgKXJxfd@!Pe*y
zUdRtI62uJbZNy(%iBM^in~V9#K&BA${mi*k1aDe>7wBF1%a#HxoJ5mc;+Nu_2U1+v
zE!ZRNy<geQEAi%)GbUzG#ccq0Mp7L#$5^9i>Nc!`NlFW6x${pcL~l9nBlZew&3rDH
z4(O<)3$X{JAH{^*n>u&{-)@?^c2=RM`OtnDw%6gNjFat=F$J?l5FqJutcRLM2h(}f
zHg|rZsW9yyLe_1kSfQrvSlGY$C+2D~O4s%CHMP1(fmToaCv%Y!=79<j-3*Ba@d6)T
zJ0w9ft~Wdrp<i2G0Of+!iWdd3%e){ufLH&y|Iw+YKkb*ziTHLZW=qb@)w`l=C*F{h
zzoxJRPZf63Gs-4H5W>j=f+wLCV;=pss!U$ymW^Gax{GrVs*jILY%<KRU~FwRle-gy
z5Cp(IacxzF&N4Cbk);t>iSb2%+R+jqJHCYb&b=WvWUi~4v{p$6o9pr@NYzlU_&qBG
z)}T`Mt^8b7rr|e7;Y8V(e$@T1)^c6e&l>6w9;#!@IXS9><8OyAvfH%MWd>xSMo*=E
zfhX3%9`pM0*;j`wm5n*kiR(k_-i7B`jGBxiq3&Vx4Ozdw;D;IjIHlXo11*j2oUX8T
zO>GbuMlvTrW<ehpT&nI3^HQ#lG@GHyBJpOjB$M1l@ha*;VTfPbAq&M?@=lmR%1;Wc
z)F=T$b-PB5Xsnffsu(=8<D3X%F>B<mE>TJ`)^}t08QcCqIK<hh*njT3Qqn?RArN<F
zE<6%PN%GvCyUUJ%Exe$SCZx+Rb~^;AJXc+$ow3v$SaR)c6KWHK(WJgi(FvnINRigD
z-~8$;1-}XT8yM?DleOl84Vbrc4t;oD=?5&3C>|ZuM>JFr;axF{)sNF5z{SVPWYhik
zxfJ$OF;Tb32HNOG+3H&99BGjRb6i5PLrXhOI`HfQ4AIoUeSqDT>s(g^*o+pr?er^K
zJAC5rB@GkK&aB867N&ZAVV7dpcx1IJF?U=G#;#>M2khi=zX}OS2<b1#=xf4j^nPt4
zqa+<lv4e`p)*^INwU^}y0)mWvBk)7jI&Eg30)+8g!8&~|(p_8S|1O}z9SHz?I|*vy
zzs?m85Nb7md^v;mx{jTcVK>x#MC9lap92-M^z&@^K0l2Ful*K=?*$fw4}ThgB`Q@*
zWOy5sRPc2!Cu8xU0++yg_yeVsD`~?Df@Eruxo~uMHFo8jfBAVbBWHYWt%#j));~fH
zQ7AoKEmE}b3LYq^DM7nus$fC#FZdqZ-ZT+PKwByBih9)p^Q_mX@(=!<(_({sk;Lc~
zHZinQz&(U~)4Fc}(}HPZvJbl|02idQ3t3XL?2^S%rp8!#H?8X|AMT4?xL^|7SX1<L
zx6k-yZD7{&3CL;1XRBU~*CAF~5%|j!EDAsGbX<gdiHi83{G{CkQQX89w=`*GTTb2j
z*_sp(%`KqvxLzwzQKBvRH4Yv`vQO+4#I)J)d7eDMT;9ldPLLX%M+`edCuY~jnh>y4
zp!=0g;5b_<Hrdl4`<X=FQTmOWP(iSxCttP6ZtN8$WTf2D!SVN{P5u!d>9PtBN%9#{
zz3>A`O#HX#gxSTXC_&QlBeRn~r7VI_M5@fdl967%W2VGBS)*@?oNJ3!gjbS*F``d|
zTDGrg3qwFqZ+Xk3L;z&&_isbVnJTU#Y5jZLpWi!{iNRniC!>N94-cF$H%q!t%=cq!
z9&qE1pQ*l-<`D8Y?F)+Av~kXIgmq#K>)0JFU1)GnOMGcBGwF`I14wd>QHSlYY#-!+
z_9L1~&bRy1tCQ{9`Tq3l)C@_*%RN8Yh7~@^&8x0AHA;<8)KgoGN1Zl9`(9)03oC7>
z_MGpIJMj#Rsy!&vd0tvpcmq|)KF(7cSTgR8k^M4Cdm;%nb9jRd5x&1KU%KktTC*v4
zA5WpVJCUDsX0Jox4b-32Yc^fKm)8jcCQZSaDGp`Yx-GqhY#3Xa<rvFbjm|YPc`B9;
zZ7*ubD>hT~gmc^>Gnq8JH?A6kneD@~orwb&TXr-QTV~;eRQa{S$Arx}Wu<ZbHuV8A
z^BQNtgie8Bs~hUgFyG)lGfMOpVdjQDkMAFrbL10_yN{gNwjl>D9uEF~d;NtC7{+-p
z+5$4<NcYWWht~*suu;MWN>y?_KjNTt?^K!`r?k6gwPbD1+<USIm-!uU$ATERxtS`C
zQ*igfS!>Z&DF{88i>Rk1O&x3b1eseqSy=+_T>e0(hpw)P^`>*(tlDeEa+sqfoBUo4
zE3VQ=MRHxx6(@I1g%!4QI7*ub*5Z~@#j+GHaq$1l1RL-hW0uGaVlZYGN`&dGq~X#Y
zcjmCpvtMYQaITk4j0lYB%8pVpni~3cF+u5$*Ask>Y3?o_x^Vo1u&NGc=redXK_qN1
z?fFiW%`pzV=XjUg8H7(-quFFcdHs<4LaM0mSQQ4X0H-+d+r6Z?(Ulew5WV6;nLR0+
z<zuB26>}n)csywAX!rcwadkh%(XrM~g0tL(;Jc-lEuoB|h<&J}d5M#Fgns9~J>~Fi
z|9hKx_M7IlRug6oa_i!1-b^>~EpB>gjp3bgciOhGAAj^sts}c666{0k$JxUB?(XuA
z8gawk{ePXA2Jysjj1M`Mz-hxq1IC~F;|wy9_6Foe%Q%E5%fA<}x<A>}S#09xc=ZTj
zn$EqXRMPK8r<q)BF*1<u@T=((<sR<=(=W`7+ux7k3Q35iwne-zbbL6uh^YdppIELq
zU6bj01VExZGNmajGtVNjYuu(Tw1??f?K6}3>zjdu`vu;7tHU3MGL&1PAZHZ2;2JN}
zUX9S+oU%h~rl}zWxJ)-Dj|wB+6&*!z!=2W}pG<@E)aurmYR*(fD<|m&TMn^UF2utS
z<;ACc?dfk1Zhhef8^x|12-d_{tM1}N+3n*8&iOXXOCnJOt!;vsoz9=*lwXd!$e57}
zEHg+rA_kUf|Ayx)06*--^Ugsl0|Pn{x#t-GUsF&mk^7#$YxrXGGz>nI$#&kE;5&)b
z=jU^cGj`H|4w76aTk~oeN8j_*X)k5wlcRz{x=>^UKkzR_yiOa1#@w{l$N4pP8^q}N
z(il+_iMzbnhU1jBwQVnFG@4$dT{r$t{WBZ=+C0DV?hcJ!pwzgJd;m?a3!&<-(J|`i
z)10*X{of}3QiY*10wWUC7!rF<lnpl_%JojYxo^j%FDDI#^T?hr(37=r{ShdSiC32)
zt8N!=Z2@D-4{<N_*79L~O%nK-qWEH_nB=XC2vr?afOVmub@T01Z^G=*uH$Db;?kq8
z$fp8LowJe#fN#HyaDCqy3j1bKgaoEa<W9ZShSnm(pYT)rKoJA}8dtdJt=3n}f&KFw
zGnPx8)_=N{Uoc;ycbC3-|BD{<>aKw|v26KOm(Z?59-EpPy+z`htN;76UKNAwS~}xZ
zC*t6+L^PZY=nRxX!+w#1W4KewB9qT0L6}QlMpoF!2|UuhCH4Ck-XE6FB|A^B`Ut&c
z&v2<b7UT0GUrSRdnaOaApcb(wCU@SO#HzL1#%vNA3FpJuY92a0iwcI=8;?ZKNip#C
zPiJmCvY!CZ8JcN<lHa{hDcGWpUYwxE3YQQv(v@D2^WQ_Z+R_D--gyj{TBwFD24eG9
z|EM0H0$=a@<P6y#!s~VyT4CPpVN>4ztuN?&H4JwG(b}neX~0by(1nzcY2(N$#UN^}
zVm@lid29cnV=s9G0YnXk4W1#wJEe>BJrt3mSkIFJIiFChH&sJ$>x|y{GNu-0w<C%M
z4yWIiWjF2LOG2tfmOXYuMJVN3Y}X`=|0YQz0pA4bH|p-3pVf-!Sj;%ug9ULO^D*eH
z6LSVW?-xbkcpE@|g^TPt8Ip9_$1{HA{9YOLQ(h@Ld*!~<=DYUUznw{qbsBDr#Rmo!
z_W~TTEv&%^S^bGIdPawAM69w$`uv6?|AYOksrdQ2-L-)HP2=C=dmoz*SBJi9wAu8N
zI0wNYV;<_@_t)d2FuymutKG6g*$~{#S=Er^n9mVVPwVeHi#t20togkugdP5%iNlTF
z|8QjxgMMMP8^MA=X`J9IPf~DQ6(X?k#n72h8Y@6{S5zu(`+W7Ln^R0btTapv37wwo
z8e?*V*t&nS#cSDd!+6?LV-8etQtiMs>f7)+GxJo?{cznqzSr;7s)Nrj%+R=P@;X#?
zWe-04cWGxPsp_|HPsnF`<)mN1uZ50RK8^j~{yxr@<$t}yWO)^PUoc**`WFev*gpRm
zTV$*5$(Vfh2~*rsUBl+NrE1%lL%nUyp4Jihw{ysc8Jnr+?HxN-)EnpPkrq$8p||Vi
zcI(zuSRpFnlkHA?-5hsH%`+hEK2d8^?4-^M%oOxw|8e1TP>uQa_I$U{dl%Ic`~6$Y
zMsvUE!B*|6G%@d`XkM;aQ&0@xSuk>CFKp0q3i0jeaK6g4<I#Qr*Rc>rG=S4&`EkhN
zK4|8si<yDTHrdUFQH_T|O^*zE5W1gHNhvhiI)M1_PiTNp{JGn{;A^dO_Vk<E-9F@v
z%a2Ko_e`NDC846;mmaO>$1UU2OD=ff-<B}xX1|VF-V#o2yZpZ0kxnWChkyJwBlh(&
zF#a0w-l@$e1%$ojZk(AVvg?opdq8N_LrOHGsQKp_Oli9;M%FMJc94rYmXk?`f@yJ$
z6X2DveyT7hz~)Ax<cuR@*?nTMf?z_d(9q%$^!}~cHIB$q^_IVyd$>=jQlk~Nzaljy
ztpP6}#W0&Hd!^(m#+s}Mu$L-q>^+$-%18Z8IQej0OQx1%NP0#lS-*AT$>bPlrxMbq
zGr`$&)+^EKW&V;F9Tj(@k*f5mo|{~Jso%pvzuq{Np~e!C7sKH%KjM6pYB(vb6vItW
z;)tsl+o!q5`W)j0Ro0Tv>nOU=5OH|^8fvm*^<stWzyztXE??OOWHf2uJ9t2*#AE!J
zfXHc?;7C&1cV-*xH~GWD*q-vz8|anwd1LBD?DwN+pV|xk#1AgHeFw9COC)~&V6AwC
z#uhrVvF#>gCTe>WqzW&+{*sON_)S|QUN2c(h>8p6(9Ol;o7!*taG~?0EZe+hLc>@#
zdeDWPnguQD_#qb10DWxPfe|A-1GI_!OiWSKft8?Wwb)qj^}?9IBGl`8wZD?6=~ivU
zpVRyqnAbmc<>_~8_7`@@;Z(uZbW;avhCwX28o5lZScaStxIN@7uH$!cqZa)TI-R=;
z1Q4^7o_-VL?b}3X>oe7J-+z5WRydFj{aVICUs`C9rfH&;45Z9q`xJ9f$9iKlsdFS8
z+eo9QTu0R6n<Y#y2g&WbU$W-$*e))8O8SFZmLQFOd;MlwXcDzj-cME3X9Mn|D<UtH
z)Y~6q8)R=bv#ptK!Mif+A(~oqI@-}&X4$D;nfu2V{rxxNp0Q_hQ+-$8$L9ai%kuDN
z%tPR1qzULb1m@LvNf($Ex}YBD#;|7HiSyW!q&*BCmgB#C`}gGRBL2(VW-AuL4(5TN
z4Rj#C#)T&ju85e-z#AX3(YKC5hq5u0PsZqgvHp1di>;F4lG1rWM^E<>s$-m<^!(-}
z5<bqTY*EjHag+3VU&>Pq$06?vCTMgC9b>?XZ(!Fg0h-e?{E6j=Zu)}9q@=7dCUvpJ
z3CENph4#FqZu|Mh4Ru`L!>tc}M<T5Xx%&GRoa1oAGlW!pby9W<3@HM#F)f*6cMako
z3Z=yg61MWo<Y?mdGeC-`*bi~dNEhhNJN+<Tb)z%4%+EtE+_0o6R%~XQu3^}QOezlh
zq8E{o02i`ce_A+uMHop4q5{%<q0~S~@whZ%u#h~MnbPv7#EQm^B8(jAZ`qa)Yie^U
z6@DrA%6jMqPJ_O>_x}w@6Dd0*YpD53Y6)4zpdp2zfX~ukwizE3@ebuYJWu15y?E7l
zqimc&F6?8Q(VtC}vaqKBpJ^k{L6-=X9P3H}&?I3el)GXv>#_Zb)lNltR2;>2dSHc7
zCDWBaPEE^TVhAx;ld?V7Ak;g`9ev38+E=D5s(-+E;l<rUk(w2>=47;5Zh?TsA%TMZ
zWLJW16qoc#tN(uSOSwmy91OuoVdUJAQW<*^db*^-UV=t(a$ps_9G-c`+-Nfbukd)k
zh2Q*#ik~)N>Ujz8r*7hpm9=eIFzu9xaaRIwV#(Mw(h15XVWyy5(H7e5(nkWrcPCv~
zRq}-)c17HU53DguY{h~@nH{M$V8_Pfl;grpAT!-dqV^Wzc<K{MT<_bA=Y^gz|HCl?
z6I7#t?>#A-!oJ49fiu7)VD4~c@E>qLI4y~}Xf_1`j2lh@ZUr+pnT2y9fs0d^n+B2=
zA)01WGoWD@g<bk`o1C(kA%G)MyiUQ!98cY_L73LUGEcljEM~8HI-XfO#o)n(>n+t*
zOxl&`4Jnbo*Vj=oACwDgXS_mJud%^u6MTJ_)!&oJ!nKz-(@ZhN)jBOr?H0r`USA9Y
zbOY13A^*WonUjUED=P6QTq(9v|4qJu|KgyPQ-YY?hl@)fO^-}?ferkq{PeexPUIR^
z-c~yLA+#eOZzV`$K<e20I|)3OOLc>|Vp2@zcA5UqnL%$t*uCmT_JybBdGQPWws7>E
z%7<B{Fvqp2)h9B_W8BxLoi#gMZr;`h#6)eRPszxOy3CKqnMSS;r@WAH$MkX_Xstbo
z7L9uC6>sd=4b*Pgf;Qk4yK4!CSo1|X<(XRsepvH)H0hNhsnQ<%nEdT5M*OYh#eS;S
zN0end`<T_7$UB+~*(g3s-Fl3e-_KVn@4)zS>7kk-rg0){H0DVk-Zy|bCOiL42luV}
zi+Lgc(TnIGAzVwN=oY&D5kkFa&S6S%ZlZFE_4b*#zoyaQYb|Ig@z&DOUU0nq-C%*<
zs}t1!_!S7qyVSFdA6&c8Ch6P{s-46`)Vf6qx<x9}#*y?mvb^Aupt4A-wBy)OIn7Gl
zmaCFsS2y16#n<EgSzl^jPY1gtaj{dwU#w{e*4weuHH@0yfX9Z%U-&ZTZifDF^r8@d
z8SkFJ6T!~pQb?n6KTUsC;jP7?*)Z5}u~eLwYd+2#$=T9{u_D@UuVx>@8UR>TR2^6@
zvD<E=xaV}Ea6`(tq6}I7^EW#KI|~@~$!o1OHM2=h6&KYABmw9v4@E)x(YBfx8zd9%
z_1DE1^raQ+goXq0q1xZ=q3Ml~{=$0nHY=?KDtNih2StgnH3PPej8p$?LP==%b5V4<
z<aFPDC+7U=9Ku^*CC#gcj0EUlJ|Pde^X29a-^b|Z!qH`*-a|scb00*)5!(0VOP5N%
zl3r(;ZWFt-wk0s#G|yqKQLN70g;OXlb!}DMVfp{)+mpgEx&G!B{tSDeB4{X4AQ(G4
z#arV=%MdqP<EiSiMe^Dbe`PlNgYF>}B@tXz6lN~InJD<3Cdt`CyO*-gSERJPs+o}-
zNb=b_+FBd9s#qA>=g_0QO`+kYH|kAzhWn36Hn9}=!Xx}2emuCoTmumi8U!+SvvhE0
z1t(Qt6aN2s)gOed{~a8_LKPH*|3k6_fe8NJr2pQ-!M+vDME^r91c5&Ih5uLB`vf)-
z!3Hl^V1qd-2_O$?{woq!VuO7?#4uiPN~I{InFx5XQVfz*9E@8<O7uVf;6b2|U-AD}
zAe07cRM8Oqk9!LOQT|`aAkdZ`*yJnWhr>(ofkOn4-%S1^CRY=H?LQ;|OE6Io85r>c
zppa__Ai1r;B%vRqgKBK>(T6Bx0}iO62GiFPKvCO*z=<hX;Q1Qt541u7JJ%pXdfI`Z
zYpKD7H3U$zp8rY42OHNiK;3(Tz}u-<;DV3mA>aR1Y^RnL($OD`QO8L1UqJgX7?uyt
zI{N>or}1CGdUcdU|Hq;}GNAo`GMEA2j5;Amg<$YfohWooC<p}pUP$ua-pke#KsSZ|
lHv$XXRgC!GNN_y?WM?F}uAUBs5JU)4`Z(jzAN`*i{~rT^oiP9a

delta 23806
zcmcfIQ*a>78!-CVw(X5=+uGQ+t%+^hwzIKqYqPPrNjBIG&i=pe;?${AwU_VB+)U3i
zUEN*XJ@f0Qq!jFU9}HVr4jcjl1PTNO1O$W>1p7`FbORIwWVi{N3=Ejj*pA+2M)7BQ
zB#t$ZtG&XKrFDKP!lrp_Zqz-y9KqYRaT8<Pqyh}JC&Qb)T5Jid4DIZ!=XiKa7OkAy
z+RDETOK)|{>ZQ7>6xQ@E)z^(AY%8^N6q7(z40uJPZIDLQ98Y7%Z0iftskWBLy3Oq8
zrK)>c1<4XGlqHQx!2`L1reDBUY^_ub=1v{Wt_e#Hai4KaI$r`2?GUhuJI<dCCT00l
zdUoe8tLQ*UarD8di|*&DpefjP*}Ei<FXI#zD8nKPE5*!gr%>EYV!0-Au_Q&2Tt477
z1W8ugvGbtAP08@^s2}&lv&bGyDwl%{D7%SNRulMdMo4dbWdY+AxER~WH$=O8IfuBn
z>qDR8_bz@!*0ni1TWgVS-yQ0g2eaf?cV`RI_us5{(u5hGQSs}a($E#W5?KYyYRSg=
z(jY(QNb-E~Efy*=`64SFxbr}+HzD8R{AHzjNuQo7I8@oTF3-Rfp5I}%4vo#?#!byC
z382~KnL^I-%D-j|NF!EB_(?!PBHY8*F8F!G0b_HmZf7j!_JPtB9x3yV%ci+*f-EPg
z6@A#weu&?>Vg-G$^3yKKO>MGMVvzpS*DA*y|2Q>geJ8RA)I0eyagPj=vQLH4f&*a!
z4%oMwkibBIfcV3KfFS?velI&FPe&J96Gul|MlXB2T8(XoL(adwzW^wQf&3|zUKvdf
z-GJXr?xIZ&+b@;rU^ZGnBScLSPb)Qr9{li)xaV-j|F((8No(NdWpOgIfL);ZwMqb$
zk*3C%m$$<$ZUuMR`h8&;=vP2ATn`-q+~egmQu06KLq9q{AC$1=#)vIr1#Cc+WAY88
zH$%&5n}gN0a$CYz8d)uShS0*_1~Cw+xv?Qho9Ps`n|Uq5tm_(3MFZfVa^|fiP0|_Y
zRHr#$s43Hh4KZ3#bzAB9AnS+ToELF$Yw!Xy7n7$>vDDYA>3jStamQQGW(-IHC0*wi
zkG%+btE+37MmINg3AQ<ioN3oU&h^rSE2;FTg)i8(@%~PD$+j-{;$IOwYrRfGYI*r;
z=ZFxrg<`{nb?P)koqj+s_7HOE-WtwW%iOFjtvW6HjiyDbSJ_fxu})S|cq`owB{EFb
z!1h@|!RriF@3dVBbN%7tN#I5RNS;(^VH=t##5Cj*x59rXOjVB(VIhdu#!VW+Pr)7`
zNyE$pVOf&qN1>*NweOiLDGg6Hs0V1zjFlRjxGXzO$dQtwQ^PJCFk_8;n{<+);+Y;X
zlOaAYCF2=Q0rx*RG<!jY8_jY_gjLi=Hx%l3N4Y!Q*9aq@<nZc?Z6HAdxL#lnz!ssy
z?Y9hq50lvH*ocbH;hWLMJD}qCA!u3kI&yGA92QtiG7)=>@wA3t_;7~#jK}Uov2qf>
zoaNt$`X!{-|Fr22u5}W55QxLJePB`lEZ?m6*MzD$@Q|8Ry&5eF-@3?O<I#O`8~!Ok
zd2#v<5u1K}AuwycxJ=j&nBJcBq5M_`F~@(kL2DLPxjbhQ)cO(ieWOujh2uMEbF2sf
zMfh&pq45=u^;HP8Isy`Rn>)t0wqA{nt%UlI70KGt%@!<J5n`LK6k*|4`&`>Wy!EmT
zE`1fY{OVE<(*(48=)&};h%g{G!dITclDRliOx@5-e0A2kzAmg40LSE4))05-lDN3#
zuiBcY%c<26aZMv^^pR7}(!n`(LDK7R*{9<A);^!h{V(RT7t2hRi@0#}0er3@@DF<f
z$OTA)0{f5d>OXki6XCysT}?~ssp;nkgEre4cE;Bpr6t-Ue+>yPOth8I|Kfxw%`oru
zKEUa>-V|4aza6!%034X@Ri&zOdA<PO4efuzbpWs!(_pUN)6P#YkhbzC;4sP2VQ4IO
z0u+3AZ$ZZ(5?m5h`^6wDLTBH?u`A-&C4MshToTYW|9A`Oh;VFoM5o7A_V_w#KVD?B
zJbUHf(wDzcdGoasVZ4de?BU55-*Mn~a_%>tUOwl;yUSnKzi6X;8<Mxr{e3P@&U{d$
zDsB_T4$rpj@5i5D9*7CMkiOaIW@YPUJ$^#{Z_0psQ}ZsP{JS&+K(^$=e*p#LMwn5;
zZ-YOJjvSUf-1W_udm|e)^#^UGD~Rn<QfF$n0LQbUw#E^;b4q6P`#xm0tWDwoH+=t~
z;W50yC2nI>9P^kl^<e*8gIf=J(d6>PIt~&o<O!tL>)8)P9hnc*HHC;IO%@t0g%ttU
z_-ZHymUcoMKuxED@^#^BPYQ5B|7A}**{<_X&ES2Og&RGD>-f;0g5Ps|pAGiY%_?^$
zs}dnaU$FG_6Kg+K>af%5!O-aAE9f0z+^~Gj#u}FG(o0|4Z(=z>6xdDSUY%NC2l?yu
zv)RQ{>h!XW3YOB0gVQz{VME&7lzUPh(4&{fv&zKmeY7ybf3GoxI%g6&MT$K=%Wb6?
zvN3lelM>Gv3FWWl=Qu~d+S#7;|DRbFE@4GG?ExDEWB^F{q{0PQ{x_@Urs_LxF=K?^
zQeO*+_fbcoryz^#xZ5xCUYl&4wmB0t;*Dq7!&z+syG>#sRZ9?QFyo0YJhwcj?k635
zn@~)8_(ffC`^=J{x0%%v9n}j7w=pt7V5ZiZ%Np)IqP`9b*Ry{-AL^FoEoM6r0~fO3
z>guj7Rm?WB<p3Me)d!>-c3C-_{R#t#^7Y)cfE2qDiue|3)y1M9=H(1#^<|hbVvKF+
zADf`X-f|3QT(*ljNmQGZ+%mr&$_tn&eTC^IzFhqfQz6;BvR<WC$Y5CM9S&_as@P8%
zNQ<|A`)pv98Ej>(ZX!)A5qY@0pRSCh;Y&7H2T-9>q=5(QeJC$cO2?GY3Mmbj;4;Th
zbE!<*jC^}>{UV_w#?L_KBzfs{1!{=#<5DlZ)D$$OnDJo#)R=>xOkG*)U{qJtaO{qB
zZV{FR(ow}Zom>k_gB>S!gj!v1W4d$n5fnI(8ovs>O>e!ohb$_`a6PJ4TDD&y=0_5T
zUkDkY%>j*`yZv*>@b{ArrOUNMHeM<L!vrv_A4i66$`9cVI=&5ChQ;ldaG3jUvdv@#
z#Xo;&w!Ke`+SrRw!osqT@z`qI5`Qx`vPQuwXQWhPxZCGT93oV3qS$%;Mz|qEB>JE_
z&gpS04>#W!*Cb2S?0YT+_Bep9#{?ys9crCDLJKG|nh%f&fFD#A_b5WDU%{dvLl6{X
zyQz?ptdWz%lO0@&n?Zw(fCuf_>LwB6pp1*w6TtN7_!FW?VN%RI@Ka_WxA8NR#3S6z
zyNiw9EfM!X#x$i<P(Y+`^R+-d{t<d|iLfX%vv$tD*@WdrS|_A&yaoO)>z|+h=aLKL
zUOV7(p-32x-hopb+*}NY;TK||YyZIt$1eo7Fr2g79e2~x+cKW>Bf;NoY;p-z`|w=6
zcrO2B><R)O=>>fP{@*@-AK&IQ2<?_{=VS;Ke0XJj{8H0V_<VS<_w;>uTc7S=>IZ(`
z|9Y-)v^?op2G(vlJGeee_s?G|3_pR{0>gZvPnLJDU-kX(PM>~oPt&wpJOhsp8Rr$d
zLbW%$z^BvaM<)uhVrljU-{PvcM{z?`f+7OP&&eov1%lj-m5~zk?QCw|rkW^csv8GK
z1HknB<|fTssOph!wN#FBRVL+Ed)4H5Q%iUQdC#a&&C{MZ+UAoz1vuGK00bc3`VJ8p
z=?fyh;twHyBrqr4|27)acNkkczk6uhE9<!RwM(8wKEvVJVSOTP*)+r5naut;<t8dA
zAv;LLoZy_@)QaLYjxbQgnkKe<b_PMtzCD|pZ5hK7&P8D<m#CXQ9$iLoj0oiw0~aL?
z3Pk}=m|`3`u#z?2tr>y9(hSIA&y)AeO)6)!U7&RLoL#+o{BCZXdv^5P1}%=2btSE8
zOcH&9K+-h}Qv3&jB%6gz6}AMHja<RFoZ%xolt;ir8=IQ<HTh;++GE5mh^9J*yw`6P
zIdB4d4;AILoY2y&N{(r_)mbvT%Z}E#JlSrmlri0`;*=5oP`sgA9v_&D&t#6@paKWC
z9s(&I0wLpZ&rOoWnXLNz#E|@-9?BVq2L~N!rVAIJt7b;UQpJu;kd&asvKdshaLHuK
z6OdR3)<CNZLQ9LOn2v0%jA&<z>;w6*wx|~SvYGRu=_T$YAAxa*OoUk3!$=u1@<~xQ
z5XrJ4=4LHI%kt_OH=qf}vYdAIwY8Jq2Wp<}IF*+$H^8e9v^3-PA|Gcnft5Mr3Y|EJ
zC5R^e%nyXBN)$uNGk1tyvt6Vkcc_(8)pL(RWzQ<*MD1E4ia;i$-T`I25Fs(<sH9Vx
zom_w4s4?zFko_`_2mHZmTB2U}9JE#3=F+W<BXR2o2#Ji)Pe2gNJlL&?ToRd&JCo7#
zagqX_h$V3i7P8t+)zge#S(myQF1$~BxU5|hM0#t2`iIot@TY16Oap^v5_}*>uMp{j
zlGnLtm2=eE^W$J`?qutQ+MK2B)_+TH%t2VXhp|dD+reo;bCYu*gKTa75D$<14Na+B
zm#keZ0#BL*M4)WuZ4nLexaos=Slo*Ljh+`1+4L1zJ}`{bo6`juW5TUinCztqB0KtO
z9j``>&5C~Eb2HV$(MI#bicF5Q`Qr7}CsFCaDPA8w4XO>3Oqpr|4emQMI$UO3Haz>r
z)&)$o+3^nqhA;OHl*4i6-!#jx+LY=rvJkG_=M%Pp5W5m&Se%-tE%|b8jU;G4sA$tR
zq8X_^odguAQ9&#V?WCGDQ{yc@^iISij`{hWdem<qHn%rwAX6Z(#ZuwH21|=Z8W)gy
z(7A04KCXo}i)<bB;x<e^NBj^Dm&pY~>-SN_kxi<|2NMTbr16?Qpr1h}rX5wF;K2u4
z0)pc}RkBQ6H(EuO{LXowE@7lFYhFPO7vVBYX1!VxnKINwauiOtcAn#NM#O!+S{6;B
ze!VEk!<}p)Zx+RpR$+&kk6LrzYu{4D*_(8K`qz&j90n3Fd8n~u*i19l*IX_gL16+u
z4%CuSG2`^fQp>R>=4&%DWHRMr_ZyLKl1>Fc|JQy@Fv>7i;d<3lg&+&FI5?zE`M-^x
zUG#gSw8r4o%D$+cos?H7yjywB?vWApfF>o#Icor`(Jc6NBN;k2{eazaCksxEGR2xb
zVRbDMAyT>_fp|!t+;S%PZ0m1LID+%RdSl9(RsuoBW}J=MFN82Gs*)H{|28U~zBM4^
z769TIR~a>kMhjw&Gg|{~<<Tf#JlOgk0o8H=3U<D;*#uEt11<BtNqAPZhy0T?Sw7(7
zhYf8&ynaToZp}SOe0z>CK?d!f;DX<ZE2U&WN5aTPFxPyAES2t^MR}h55x;mfv`|U6
z<U;n|su;)=Avf5CAjlyH5u(Lvh!|iXpiELjWKpRi0MSjz%Su8f`bxVK<}y|j!I?7e
zTAQ-uSswTf;{5nyUpV$FGP9*zc~+;Mz>GX!R{bLp@BiWsoIyg3E{;hV>6HXN3!7^H
z+H>Yl$<=<@wDf(~8q=|9U49xLV&}M+^o?W}&L>VKl=7rB@))`T|Jyj?0N9vr#16~G
zxeK(jJVkbk0R&b#n#}Dg{4!RQU&MgP`XAgMXt0@iya%9E;D>mSTf|oM?ju1>thoo3
z%Q~55lAb=6Dw*w)n!k~HiF@?P&k~fkK@Yye{_UhVKl*v{%!I9dcH(P463OZjQ)9Zg
zRxl=cUGioEFifvoDcAK0Ad7GESzx3yMQ?iGo1|d6EyP0;zsuMI%$V#}ye3sI2JPmx
zVUWRB9lf3P+or^G6z`-_<kxyM98jNu&1X;=@FQMGJ7|KLWY}!HM`8FNEJvr=G%@39
zU7fFf|C>EniO9N>3wrdaEo;9tII?Bo2+)EaZbGb$OsNOMo=Y$Q2o~6FVcHfc`YTxF
zy+=vs%*Pgg+8P5d7ede*RkumO%mevz{Mgr{EK0|~5l$$HAe-^#^CHY<Q_Nf2Rm}uS
z2XZj|2Yf-O>S|{~)Otj5$vRbo=Ad(v?3F=pLBX}lxS*>!X>1GVleT1&o>9D3i;=yM
z2Pk$62iTQq#3-<VDR6JuMWgn|ptiy%@BsE2itm7QpBN-!WIjUV1QI4Q$y}2zp&=>_
zdMTmdNF|42th*nnnXE`ks0S8-T<J8SA*4<DiZG|RaMgn=A~slNDHq`%m{ic_RIo8s
zIOrBG^TFDM>;$lLhW94nw%h6k6O2lRl{AeJlt!|^^D70Q<$r~35lq<2oS1h?X%b-}
z=cF2-ykXU0S8FWQ3s3Bqoyv%v0~FWVD8lB!MSZs7gmFn<zu=8zsxI^w<}E?Pn1vB5
zN>d17RWeeyPWKC6r*<u+;p{!$$byy<uJ}fmDv#}})8Z*)(>gQz!^e?K)8fsz*o4!S
zwSL;umjG>PWR_&ja)Up2(u&#ox{kp`e4^kJ9o0Z>!JwDhF$4K4tk!%U)WH}oqe}gs
zOoO&$^*1qC26%SUg4cr5JS2om6^jrOzd)8)-@+;Q)^Xv3Y;LpRNHc7LtwM(RG(*~a
zk${q*sMrhqTc6hSteXgsR8W^PFepf*^7k(w-hkp_?XT-OG%Mb>zFr|yD2cx>s1kAh
zc?*YNL}f+#2C`suFWeHs%!6`j8u*G~gamrRGC%-6qm|jtuE~oAp8F{fH2`v^PzI7}
z%*`|nj);mO1%C`KnoN=aqus`(RAq4cIMgd{BPWqB{;*RHs)Lf;_Z>p{qAh~|@4~l|
z43LafyZCI2c2AHdHh5r2|NUkPvdJ@(H4O@=UH;P{r1(Po|LzuhbhI7uCvo4tga^**
zZu=9@`Gg3fJFelA&w*aWut+70)QZDVm^Tm{^;bwXmnCtF(!?N{;g&Kq*>?4pRQG-K
zb#By89k}VP&#$?AxgTv#6PE#eK2O`fk4K9E_eaNcOiU3rveXQ5xD#oo;FR1JX%*Uh
zf%o~v7~(#mPX30=<<a}~*`r^-BKl6G=GU0U6LkA;HWyn0ns|il84U^Z>^e?!GMEhf
z-d=usKUAFyt^D%%Syf-abonIlaPH^cb;gK2J?gP&hfREO@<eS=>JtETbx}B~Mp4wK
z4<Ed|PCi|^1@~Ctf8`8YIO0yi10XfgXbqqWL>osdx+jE6($HIl1B6?x7YUd&bFPcG
z6ALuP12%IF;vH|qGU8pCVyRbtikF@yX@y@S$4k|x#Bp|OpV@%v6F~9ei?cn3kPBQB
zB;}n&rCE@y{fe_F#@hlm^6EMU`P3j#)iKCQ8b@?2Wlm%(jxr0A<`34<-?+oY?0Qv0
zD)sH7R3%Y(nB{UkqMhpV_VaGy>~0RRx4deihm?Hy*%*?!>rr@Vm9Kfogk~e+v-ZZd
z3BdYQ!exqh&a-U-N53BEoJyP46ic>QSpEL<64y*6MHn@ago+DTQ87{}>fP~LT9l}H
zczojK@q-{8IwLd7C^5FFYN(UdG)3Z-OV@16;uUqbv*p>JI}y9XvD`<Bp{Yw2dIWC_
z5k@t0<Az2Dy?U=K+mBy1NM4&6dN0GPT1WU_W(Tng+|?Llw_n$ujm{asYZl87CgV`J
ztd@)WiLYptbuI%eJXurxHmRFA)m8<8TN)}Hwva^(aBQc&L-o(#U;&L5XS&C!U0atz
zkM7I87aEqQvt1wGv>AZ)+`P|^R-|oB&9oQ3{r*Ep;N*hk<5f<gPv8{T7rP_=L*g}`
zujUum@7#9f<Lq}2XlLx!^4Z(!FzY)RvFNHpo^#NpVgnHRL-4e;h?MjBcv7ETJRG@u
zn&Udv({lGu#S$^T?@s}A+}bXR>1d8*aEVcnZ3S2dc2BVu`hMvTcgnvUbs3sptzUlV
zw_1%J6~tUmUYN)Q{J3({P6W?}OHPN1xHnU#RN<jjNm|k)c#y63E?wrFCYpt#Y8%_k
zZ+B=kI|B$Qmx>g$b$QMuwh@ZU{2hOF#C`gs^mIfdeD<!nyZ$7uHD{+)QcW#%hb5fD
zua0VjqsA_iRh%c@Zk1>OUo7b%(73Em?zvjaINk2A%Q?1a+Bu)1oF*9zi+-w{qxV(U
zNgEWGWzM3cCYsV#U*9hEVrS|a=1pq-<fGLS*92hBAhuX2Ag3qv90+7YGm>i$Rs@vw
z%LRf2vOyIRb+$=qe}}uRT9fJ030s7cfqTZGm%B)vzayTITji4(GnQC?aqCkCqnvR<
zZ-!s0=Elb`k;UIAiJFIKFEz?sVO_uv`vw8Eq%H!xF02pDFuLbq^u<t_e({$bp6O;#
z-6)U=b4<!?bGPwhW;lP%<q4w;oRt$nH5k*gWKB5_WEody#a52txR*2TwVl$67~*zx
zUv9zRa;g)pG;IRzrv&#DVk#wGo)SH3DpkTQ!r1#j(@s)~(!OsTkq#{ei~%2s%fK(`
zZ7rwD`qL0I{jcuSTk1wsE(I{9Gnv~cR*C?=tn38oVqz8M!*`wU*0V~aexlDyUt?D7
zp*O%AO6%I7J?;djbce$o<zJpe?mp7J2xITAJ8z^pq>6b+{X~vaW0yu6S;Pp#@Dt^U
zFgclIRWT3vOVHF5X7h($`Xu$Gad6mW5<ZfYlLZb(Ebl~(l-7hTD`!q@w_BASDo_BC
z3Y%S>Iq6+7<RJW#9y}PtI*znz)iT}Jxbsyam>;`KxgiqUf=U5xjNQccty&gRf|yys
zJ&~lvm=F@O7?doG-@FC}P}OMpY~mVDZfloUot=zNp&AdW_blANsap?4pYmEmy6f$C
z<uPwU_Ii2z<hFcw@=Q}0;oS%oFirs)wAlR(2t^fKOb&jAsM}Y&99H=cD-C{9;aU}j
z_==#+^@(<efhLvZqHW>Ec0${Td90BRzIFi=KX{gw`4q#tZdbb~>tm@O)eLlHW{@^K
z!ZR^u+D@EQlOsLLeCB9x!r|xQ8~yg#p5B`U4Or9H@sscgD)FoZ%6!>9EKYz)OJXQ|
zBT0c53j0h+J{oKQNzP+S!G}lh%Yxk(8KHji{@QeRXpYnv8K`o;TIDPEK(vQRUXz}2
zjb$2>%-u^qTo)3@Ry;Q06ByP^UY}(n7im<Ht~DAJU){2LK1T9VTzAOpf)WxrszrJ7
z6MR*SOE3&^vxhf(y4jbK(IMasW7xg!jCVOv;~N$o;&*h;67sJc)t<vfI-Yg-RPvH^
z`n4Fa%`=Cf1fj^mgpM%?GU9O|nOp?Nd4pqWUM-k$tBC7PdK=QP$_0C@Pl2<A!QUj0
zd&(iuH;_yNwcMy?$WF?>+?ArchgM;*Bp2nUL1)gm5j<FJ@%P`RE$0JUil{rbGObGj
zi%zvtO?r_0YC79D0edv^%zliG@@Q_Yt(l}=IYvSo19wKTk^(}hsGek}iwG_suzgxo
zK#$ehdzW^u!$iU5u~2r*GT|=7ap=+z94Y~4&m+m8#z6AkoNfpk^XANLPwvT8<xgam
z`4_P7pO5e|m==$l?{PqQ5)D{zq%wzO^ePzVNE#wtr+R#I?J2{kvy=DXLnJsNUWL~#
z$8?|my9aS2wz~5PSW#*MQDqp*SCrjMk4fds#I2ca0hf!M$chE1TJ{wzNg2K~C|{_D
z(lmQHtNEX!)i;lA(7cn<qgqo=Qbs$H14Qq1wnkAA7+%gqY7Icd)9YO3PuhU&{xfXd
z`_A*X(0yke2a9b*nJk_pT;te~+3H351yQl6Bkm^^k=HkI6-D<%ujrD$gJEYHuB8xP
zsdJD$Mpn{h*mvEN5Gsn#LIjF*k`_lbdh8bCMGfn!V1P{t>oo(sfSBUG3JHhuY}xOP
zYus|Xqvn@~*c9O7E@{BTau?Cme^{DjMI#rD^HO^j>9h;dALzG~Sv5lP4oYob+S8Hs
zj6r=JEpQF1nW;=5FNZcLy)Xq1re%te1fSZcOg{$AyMI>uW60l)I=5kBz3J`wc(nWp
zsLNS}B)C=>Y5in6-5%XMK(A-6O@H>(qndJGK+0r0zyspY%fP8JL%krXW@RV6b%PaT
z3caFp#NADq8H*Bm_mrG^NpL&QCKm8E7>4d8Zx941VX7IRs5YcQ%HZ*OQN-vF>~Y^3
zSh{X^;9mVYOmcC)-@FC+7A4#cDN4I?uSc6$krV}*O9pu$Dd=TPWDYbAUwSL~63Fb3
z5W@e`v;_9nF_3PV7b4~3d+_jMwF0Mcz@ml%f4!c$<YPmdMs<h1V}OGq%(Dm<j&UXq
zGzZ_b75Y>TFr?DJ6uR({`w=H&&57V>C1?#HlIrQnyx5yc(DdBVpYrXW_3aJ`-f3AQ
z$D4)iuSknC+YKe<iDKS4vz{;yCS}q(y$-}hSp!U|(8-A(Zapw<{8YCWzlV!!fa=-v
zr=tKXY(jMmQgo+}z<e0T1sN@@8Cm%@vAIf$2QK9D9tU;Eh&^|%OlN#sZNBg8I(AIA
zVo*$|C|^*yf*?prW=U$%ZSvK5gjZ>%PA|vKjDC!b2OS+E9&yb!^VD0qcP^uT1>1>L
z?gC_j>;q%s1HD0CndgcoyopaEFy0jP2&5T*fCTJ-U(S5sovKheS&l`qz(Q{1y26+u
zci@a{iuM|w?#7(E_qy`G<yiRlXgTET??CYs&r5wcyNezE{^jBRVdEE8VWYWyeQ`D2
zowD`lF3=}-g<OLfIr<A<50*gaS%1eMSBOlv4jaU874+}sH6&8F$*zLhX6#ESlVJT?
zzk{O9&c~hM|5XD+JI98NziLqMKQ$l${=ZycN{u3}vzTtPv&w#bxaE$ZHNw)O0IKlk
zR)7<hgj7K}$_YU+|ADCB+03P1P2rI$Hm$1;C0-39D*aNYJqGUm?I%A@(FE_>TJ2(8
z<${5h8}R(PY*sTn#Te#<ilU=iROWi=oUGM{5xuF^AOX+k3fN<~-YwIkb#n%<?vt)k
zXlG+ZnKVm44{hiTFFbS}9mqVyq1EvT$695AzkATGw^z^xAS$x7Y}G>R)o_p)n3L}a
z3aga9yqGWA3>)BA`bN+mF3t^5hr~Qu4}D^1r5;J@3V5<4ri7eK-%ppy;|L`)UiQO<
zSeuOGJR<TJ0nG_AL$66`c}7PejR!Cf<K|=d+L~uf`Ny>0G<ShVYP^LI86gqLW+9t)
zlKDgr{5cBCz?p-p+*xA-9jl2!5iJo=Mk#wkH7ML)y0O*be)RrQ{cFmxM>rn?MT0%q
z*HRo|D8~y!L9NI#c5oR0TWtW%BFH+u%>N|df14Et+A>=d4vE|!bk`iTi&Sz?TX7Iw
zS8n~+x0ys4(~-iX#xO3P#&FmFP#g1bV}*{6R2+4I3i?UO{+<LMZqkq32Is>c<7SAm
z)a`gC3iW*%<E`tu68W73f(Q>0Nf>0tLaHt6<iP;`8v_T$7xUPjuJAxOa0AuJhqtr_
z4zvjr0Byof`axBE27|%}Hrhcn+Gr|#1>f03dUt~0E`0TM!Hb&!&BtGDIv%viG7xaE
zr3?4`J*eAwW;<yj%c2m&W;@{hIc^YOg_If`tGFYO6KLxCE)4105B~qkz`tPNzmS1{
z!2s|d$iTl~0Qe7N;9oER{0B1dFBky+0~z=i3;_Ru4EzfQfd4=S{sjZTe;@<@f&t(^
zkb!@}0Pr8kz`tMs_zz^@UoZgt2Qu(47y$kQ8Tc0r0RMpu{0jzv|3C)*1p~l;AOrt`
z0pLH7fq%gO@E^#)zhD6P4`kq9FaZ1qGVm`L0RI0nVD0#Q0`vdKK!@cof9^}f>>aa%
zSs&98p1^mLJ1g0gG>cH&DFdDfKuM*UQdW$Ve4eI})XFb%bp5undVP02W4Kx;7t#CO
zB=66<R8aqKmDdvN{yIZ_#;$d#&yzBXX6D>dr0CS6d^jdZAkCasZAB+F=>7EUCE`}8
zf${#gUDKO8+v~?kL?5aY(^|tAaYw-N&l2n%6IW*q!(KsN!tj{cn!`h-0>R!|q4k~d
z9wMxQhu_Dn$m73GV^%kddv)lshl`1@h#yXF3<)ayoZGvKJF22FG^Ycc@9*8Xg}NiY
z`=IJc<X4GT0~krcFuBD{ek)WHvZ>EWfJhCMRnS|Y)pD_*c0K2C@y>!$O-f_!eEk?Q
za*>>-7FH&OqnZpIx56N`$d;C76`A+wFuj{V5F;{p-gEO!_Ybvk9i{3tLLPHpm%bXr
zjLqgPfsuwxgrM$VRTbww<aoF=Co~cGc#Pz-0_5H-U~im-fb3D{nYE*nw62a~)m7?;
zmx3scql7JQ%|*nEoZ+aJgwzZ!_}iG8a#G4yucByJ^sLOd{=EMS1FPv@tRdRm+e<U&
zkMM7+Jha(r@VD1@#NP5Dwdr(|7U3i=M>2(q#Sv{+=o=sa2qDW9>;Yr`Ye=eN+SJ9Z
zNl1A*-H6(hcLH2ML(PjqTSYZUh;6P61EL^~w;-Hw7htn#=%T++RJCBZZ?E&M=G$A(
zYgSn1-JGn`YDvBv$R&YDONus7A%%-FNQoXPRmv~(Ua@NF&|ka`+A_~Vbfjp4iqno%
zB)`y42))g_?w0heYcPF}V07GCzrJ`YHaI2bsyV*Bc!&XZ3yuT4{CA@IQ}+2(_Mi2H
z#)yII3D46vrZ<$gQAQZSy9|W>u}|msjb8^xkDvE?&VRm7IvFjx%-fY>K!%4HrRN?K
zn9uoD5vFuCw^UFu_d6&dQoqc0rr+O3|Ip{ead!M6Ko2=KlgUFVk(C%Z21z1@NE-vT
zU+H^#ik}DwulM7(Ri3=x_4eB_N1qqO?7O-1EX?Oz)7DI>N`(uPIh3jsu=OK^Zpfm?
z;Dj-qfb$TxyiL{`E!p;5Y90DY`Jbu;5t&YP(pRP^>`aHd=dsP_e0Gz(>>(9=@(HZZ
z9}At*lB|D`EgM&t*D0QrmACpL8)a&GOx~*@FU1ZBp$O1ryxZ(p&}CfzzA$;&?lN$|
z8pf*Glg+55pGd`%7nhO0Z<eKir=+vTkuA$s;&5B<F7{$&>Kf-&Y5nY`39d53>5h>i
zOpwSK;2|4pQeVp%@uxfBUpklHQ?d|7FP&?niLNi_^i|HZph%Ilxd?0MZPoS~BZAtH
zRv`lj*_$9nWW5F$W#v>f=e$nxJZ!MqbC;k#%nsOs>TqzVTnQc}Lpo{ftLBoEn1%Cv
zOU!PGht`a2v(xf>(D(3IFx9OxBE5|l63CdA{aR9&4d$MU_()9s8!)t-FCl4nWSR5&
zK*`1l(DRzw{C{Az!UrSY-!WKKoK{QeB(?yUmDZ%VX9l?7oj>JNC5%njC-Jxn?4OU0
z1pOK~{Yy%r25o)J@V^mp{E|N2Qhbc=&_2DkJ49fmilyf$Y<H)n!3d+g8(5O5k{vzK
zuI}N=ekS!>a+|V*=GfC2xREHQIz`$T{F7-#e_N1scOASpO!$)*XMg)=C;2Kt)Jdq)
z-6&3VbL9da0Yw<yA~9G91zdG-v}{xvJCn?@y4r(3&TdB~ymD{kYxzW(iWKIek)o6W
z6v4EWZJxACpLDsa&XpKM@0|W2L`8iFk?L8B0SPu>zRl<u@UHj4ye$h#RXeza$$ot%
zK$%J9M3lLxlJ*@#=jGKjM|M-i){hN1t(!Cmg!kPI!L+QK?C2#~gRAP&==`z!*lwv7
z_IDT=AqypY1l+7O6@~cXJ1Zio!}K76&9LFb%DOtu6v8VP{|&_||I_S$fBbva5aTPt
zGXbv3_V)26mhGY6Dc{){9Dg%mjXV%;Bf;d0&0O7|tk3W8a$0$hDFjc_;H)&O#fyeo
zUZl8SUNFM)%u}qS%ET_cG8^31H3FLJx6|gHO*-@u3@I5ukKnv6)gcASGuzbF3%jh4
zc%fkY%Za!z4d2gclTe_WW%^&vZ`WcHegTQJ?{E15+6)f}7ox7Wdu17TUBQE2pTQ`}
zGU>jY*R~w@w03HeLf=cav<aBSm;N|e%z;V~i;}j%uQ9*T)1VSkhsTUy%5oE_-8-8H
zGc>yQS)%kir-8$o>CwrQZBc<FCe!rWo@j65;8@~Pw%*Hc#1$~tznpvSwSS9q$OM>i
zP3usIVh}>{6lAM{MRDviSg|x%?{HcA36!6)@c-OdP}^GC81H?%OF}CY8Z^HG$q|DT
zad!?7gQaSOcfw|<E4s+$GKCeZuWpof5!JT!3SyY`bIhwZ&6m$P?U2%LjPJzauV#Z|
z>^z?sXd)VQNxzfVcG#*bL-?-uMHHZLAWug89?_E?6#6JT1mT*N*MV@{JLAn7k_&`1
zq)!qvUAlMFV_V|?cJ2Eu<?r2ooI~M=7-B7r$3g_F7kbp3OUDow8xFl!U>K@k>#_0@
zA^qAgFs#(CJjGlxPYlH?;eaVF0O}S*8!LENi;S{7D1}ZxyzbqzESzxgu>g4Ou20u%
zzyA%Zo|XjJ$SWA#3=%VyhBagRJ$Q7lHqwXaZiOr9&jOUadI7$CLOB<QB*{#QBnM)X
z;vV*VIR_WfSt;3<L_D=3R~W28lrJQVnUbQ^wz!<)-#4W04}N4j6ALludBg<uA><V_
z@+(fyUTstvX=)(cMyv(r?g5~pjKT<Ms~ZB}26pFk)oiLmjs)Ygt$DEXrkLS%a+~X#
zW=*2i>LpIQ+egWqr|IulaLRFcA<M~Yty`ar8j~dxJQ!nRzDda{$-58Gh&(_1+|AEL
zzSX!i7F+dkS9DC*dKuo>by+fj!%RO>=Q(1=gXD$8M~7I&A$v2aH~}Q?rM(>qH98Yg
zJbJM<QR|sXP{EKIBMAa1V-_BZ?;*<TtEYI$zrWoWyJ_6+33{W=c^>8Hef+t1N$KuC
znY}=Zf1)zk{>+FmcJ6zL{en<)JRHeqEOyKcpBA_ZdyCe~ctGBv*UU;&I^$>XKnt7t
z=bOyT3f3iBxCi71#5w>UCpVG)du+%dNpZ!-_Pok{Z!j3d=oI!!rP!SYku&&`tX-Y=
zo0NQ`v#AsIEBO2n$}YBUPHSSa#UPqz<}KY2v{VHn4Br=PI&3xi6Ez<_nH{pPe{g7a
zm$;o&APok&>pSrf&0zy9;f_34h=v;*Ip<P(nnrg9e~b%*3_k#RkKul^1CMNq-Jq-F
zbNDnWD8knr8ZSB|*kEQY!^hbyOiSMo)=SHn^jgzkuacsBJRc4RY|99_Rh?9=A<|7o
zKEPvGkbXtlewiaVptF*0e%0o7;JZ2SCxOMC8;en%M)xULC&sq_P^+I0Uyi7{7Q?8g
z8|O}tgN`rD6uSoYmlXD8^;!lk{v;VGdGA!hAq}QDupDx(v37iGXv3**uhgHUXEdZ0
z)hKb?<Ai(F;z>4FO&lDQV{7o1f_`9}flf~7NZehU{!LMEdb}nsE~~Ef<=}UY@}WYl
zP0tQ$Q?NV&eyeII#p$1xZyDIo$uS*)yKV!#=(|I7<mxJbib^2!Fyq=0PWpjXRg_sW
z$l<pjU;f^D&!7xIw?PSOdN$^An?&mBctWV&(dxUOP%WcD!tQ=u_9}DjTz>%Xtb4}#
zA@xx}zfO?WcfWzOfuE;+^TWrZF{?hH1MBE_zZM}QVKAnd1yuM9Nclfnb^abanDu_y
z@BcqXZNO7bs8~VST5zdRh=AU93jZNA5D-2k5D<*NxBsSNxmp>!n477&xmY_`y8bVF
z;7D)BVOu)A&(LVMXfH=0aN^=d;&zUG33nnr567M_dqQTRcOwQ(J9(pAnlmPqTxgbm
znt#*pRQ+c`s;q;jMPR3lQS>j*k9kkUpT7+I>_nTsRv{gnji)#&0sTCvboVAgks3nz
zem&g;@8{xY@{)ZBhtls}&1%1om>fSIgbZx+U}NJR6R0og<pOXL+B!7wtCSAKC0@*N
zEAX@S=iNBgWU5OW)@99eoZfc0cHic`$V1M=|N5V~*7LRy0Fd3&yfA2<o-BHPzV}l*
z8eHzpUS7?LUm9To_Ufrooe}4wF*zMfh6ycP4daiZr)9dGD%S-SHn`#<;il1j1-BkD
zmJ{CfEnaMb(;>|8#W$f_av`A>cAsuddUQ;-LjL$>xA$R{geR;pd@+hd)PgTbkO_2{
z>mqKu`6qN!>Rl=UBy5y|BhHq2RkA}~)DB=waqc}c5b^Z@8S!!u<pF=JE3sQb`XHT>
z`R-Fgq~eP?pK#Js{M@yfEIe*FneG>7wqAa09rMC%*?u(M=QYubcVF4YVUqh0`@K`v
zkux`ZFSwAjj0%zV5(UepX=dUhl}aX=Tnm$|G5i)ite8tLN~$CTPwhSHpC}d2yh#QL
z^eAEV=^f61$4|<Ited;1izgFtOJ=E@QRBU9y0N^E>TY?V?5l$?zf{TwCGs?Pv#lAP
z--T|u75R7y;GGv!q%AoC(I#;rF`Z@IAQDsw-qm-Z)|))1JG={I`^%^uq4UKhSz(B%
zi)03HSrmofF|m1EZTQ2HnWdK^<$Zx>SbVUDm}Y;oJ+~_9Dbx2ja5o3RXLzs8B}IZS
zGJoULbE}L8kzyz5g`(Wz(4keJI7r*cn0_fgZB(PX&ZM4(`Ll#ud*wsE9PiW8hU-2%
zOW0a%WZ{csSG=H=M7N<6$AH7g>I%Lj?-YbV6DP(Htbj(>T;Ue1+OK*%iqHQmYZPw@
zB&F&N$R|(l#@@b_7Fpf>lvETRhM(~D?pic`jkLzjQ5z(q5+iI8U6z~~)3Ia`FQGIi
zvIvvcIOW9@8t=R#;SUJ(x7bHQPtpvm6%DV!HiX6LjEg;zjRFz3LIr_FHantSkTE62
zi2^}KxN9VjPWg`9tQq`Sla-)pf@g(>(68wMP(QFyYZIE?8jBepFU=U0rOdup<isx_
z_sNC(;+NuT@5Vg}V>MnvT6oEj3HM)!dk?Y(%3B>qAQo-1H7s!}O{_4<_Dk2&$cOIj
z8j6w}36v8m2PDUfm*4FQ(3#a5huqjJJ}!MOE0i@T#(vZIa(+D`eMMf=-FCJgU3MP_
z6tNcL!PbCv`xCSXA}X>?G~%zt@(!QOk2k7;CR7KY460u3HIh)c(Yw%lH_MhaApC;F
zNGBS?HR4Nb*L>`X#5js3fcQQWKdRtAsV<&GD?s&HatC&=m5-D{kAl6&g3H<+S@?_^
zogZBzooi@_3;z@4w1^2S^H9Z(OXtuY*x-SbliRPWaO>ZFbz>_K>VHIdnB|}f96kT-
z8+}Vf1jZGeE<OBRte7>tMX@|LT%Y@75m)pDaaIc#blhp$saME>Wv&p56+?tvm#Kv3
z*r3{er4B(4F3ViyN*xIgJ9Zameur7DMA`l;%^h-&ML%SR_-Ifb!i1~p^5EPIAeyDp
zwff`FwbxRBdJpdy7Ws=xdfJm*n7)Yg6ie&ErKoQ*2HuVNf;vsU@w^+}{OAlnwSJy!
zSEh$wk^g9B_|SZ++yo|?=uzr6_l!d81SxzSwy!gdS@_21kC#hu_=0G;XiyV~J`uAe
z<*Q3fzZ|4y#nOX6EK6#Fm_P1Kfd*SxheTv1PkXwZo&p2?5B}mqKG@L*<zFz)IGSU9
zhOd%|rz%-Yh~@6Xb9gLeGfCt*xxzlVb189mg|bx$Nh5e|M+Aik+0d$)7L`Uz0uUaJ
zS0RgFoFK~pva{cm;BN&%tS{CsrR}%dr)r#D2rUhM(Wfo(nTlV{da9tofw>oG)lLdS
zk~DP97S1mhxTI92Gev?98nGdtX3{~utk4G%${Un)oD2Iequ2A~Y@1(MfBHB6;3(Mk
z#Dn%B{T?(c0%9V+rQ?8#7O87`juO22{enTF1!<({VI7uYvc(8=?#lr`elC8~(p#NY
z4Kt~K6O^>Db-En0B$`Kv0&uT4CggrD%g#Rj8cP8cvtz^c?1q3yAg$xw4Jq%IuMDy_
zNlr7*`ltn}B^pY_!=D86hbWQ4i$%CWAN03X(=mG@R8a72ZR2bjeDlwVv#SFP2$kH8
zO;CdLL9U77i9wDSb!Z+KyNoctiGa45lvz{VX#|NROZhDF*-1^(3IIH$!P$>&izzU$
z8x(C5d*S<mp*XGhoiOUi&MyM-KMYbsim(xbBqtBHBr`KCbD|_)Fr(FBCMAx__`)@K
zR+K241Ci#uJw1M4h3&uP2Gv<i37VysLwqP$w8U(m!${#6kCRK)o_|pp3NjB9frp9F
z0Rv}X$agG++xP%$0tajf8S>)R22x$tBHTgjG+7u=xTq=bB9?{1v-aHa<iIA3XT)=?
zZu<AE)~33t3zLeVB>8!u9x;t(CteuW95xV;<ZJvN@yBa$!9<2AoJFaTh-5ghJ;jhD
zlJpZE(LlH=n4M+MQV}y`$4I!^%&ssmyXa7pHomS}gzvD*Z~=jnTaOhx*fOXRb}L_W
z<&4hEgxqhP6ek3fC~+H*6+z(Q6ARdG<`zf^3TG(~V7wN)ySq0DxaXznta9F{k;+A&
zrd9@YLuuD)83&{!<^qo?!r+a<u>r6TrW6ngLSYJXDqE~UyJD1Z<r}M>S@h^+a1^?u
z7jk)?Er>qiVxX{a@1d<=Oa`ozc@!e<1$^<-itr6iY^MapPTQv>v$Lqfeef0r%00P_
z^D~!XxYNQ&jRO7~$q*hc#%QUX&@p^ku)|&?10oEQcpJR?z!Pp%oQ1L_V@xyN?!+ig
zNRKd)Y$oO&+?0AEc>3(%s-gVfgFy7p3%BCb&*_chAiyWMu8=eov}lWTqHbyKbHh5+
zF4WoAlc_(goAIXA3q~g3r5$XUNevjRlg<5!dr-1QscmePjzi*bp3)p=ma6mZg4S>@
zuxR8vK{pv*GC~9XmCWJqSeBl{ZLs;yB&pp_yLGe~A`>E75XMM|SZ-$D5XVy?RnGLx
z-I3*&27usc+(svb<}ZpaRnw>MK?f6wDjs34HCj?>ip{~Hx{{q#GkF-apeUe!VB&8^
zbjowg=N2NiDAX4~x#4tUM?ijJT@)B2Y}A<f^{*MpeP#beaW@sEqiFTgubRtP&a(JJ
zJt1+{Mxrzz&{NbX__x384%Dw`OQ@HWB+C=7E<C^tgI{M4oQQ~^#4M=UNCFc<tJh-4
zXlNJgsJ$Is7PpivAkyy1#9&C6JB>*C_oaxHJ(uzW&YBuVJ6*I0HNgj{4E>dArA8rW
z#)XQ|#qShrdZgIOd+TP6;_hY!I?m}db#;&(wtJ3KP1m3A=bjb2!37w3E<q?h$2nl&
z)dc|Ul7cOz{gC0e$}JZ<Q5S62-Kch3s&b8ZSWUPJQ;sxU+)zEN^1asawq{p0XDFMN
zZ4g){@?S!;Dn>d%vbC>Rmx{ftnf2ut$c~ew=@g!-*VL|yBE8+N8A<k|cdCqZ#;DO#
z;=OS+h}u=+(N{*<QV30tbHhx9Y~edQx2Qnj?I#1oS+Uswdf1tj<fou>F&R<!V4x2R
zH$Lg(L@A#C&&wkAP{IaUQ0`-#IEdm2?%J?BGcs%uX-sY{SR8B@3a1mL7VO5rd3)A)
zMfE3|Cj&(Sc={rWG!GI@cy4T-d_<s{c{3PBP<JIO^#M)vJGAx6Z}R~PYajFp*G9m<
zVj}y&giHWj(>-+E0^?U%EM;*xJ0h}all!+E2vSKUiKd}GrYk;0pJz8!g0TIkJY*<r
zP_%6wIJ@!=*Pj~^kZU#2@$8I=pm0Q1H_3KipLIg&L|wF*)U0R<tzt+`x-I!e_nvSz
z$upvoyrTAJsKZ8P2@zFJtsuRKi!y=La}B$~hC^B|Ye)o5w?A>&w{ylDSU)q`saBRq
z0l8k}KpO?ouYXhPRmp8G39|&n#oNb>$*pOZ6By~|Sx~#QBhqPHDqsetvsP$)Nvb5+
z{ftP_VjFU`Nd+{ESNA!+bIGE86K3adt8??ut*?&rl&=$t+U4qJxINN))_s7k7jRY~
zaBVGhVwCVIPH=EWUYl@=U_MelTsHwvst9?&v;2+vt`GdTcJmwn|H)$}K(?B%_X(C5
z+QkbWLi*!mU|7wJ{(W|Uqvjn2MB@OgtZv;YySZ5Ti_PP_mZMBK53Gs}v*hO5;@io6
z+XowC(^j~U;x+<~hNDysayei}=#4)}9BS?Ps1lxVxa6-Eu<8JE&LCgn-lC6p5qW)m
z{0I4z23G%*)dp=@rYicL;^z?FQNtXB4wr#n)9(>?uJR8y)caydQeSbYSggNk>e*<~
z_vMnh?X=1*j#rCm5sJEtPP5@liuJeH%M^rJLMC?zZE+!pe*~`4|DGg2+?xC$mYfIP
ze)_|7aarl7U{^1%=P5X*zP$hU74wY1!>ZA(nu``fH7h*vrvx<I`Za<@M%6Pp*jp5v
z7P>l(I;K17HuQo@r9!Ti25r`5+PQJo%$}1Aq314Bm!+9^c!bROAH~W=2x&#5g5Ehd
zMxEEuX4C3U!((-R)G*h82bE5_a>mex4&u(1zHGU;75p<st!L9m!g5XbqPzn6H4$va
zj<`a(qmYurI5zQEfklT2B!hoqH~FZ=ErP`G?Y@|T4C;?-EbBep9gn*A0F7@sU%U5R
zqT0itt805+_&fbJ)v}Bc8aVgrcszA+X4^=i@L7`n@VCpFqKtzAC&vAb#Ddeu&he3l
z4X!I^E=RiN<LG2g66aFAKI37<MNfh6a2Be~B^t)7AF)HyZ$`zkdcbtQ8=kjMTGRH8
z7>ijAPlb*2I)dnF_V<}T-nf<rcv7dLNOFD^S&@D*xDJVaT~DRAi!S+DoKPi$Ph8pQ
zCfMJd!0A`6<BJ)9JHBr^sJ{jB&L~z290VoXUcYM@a9b#Kn}gH}o{rsMYu2CHl<La-
zA&1j$toSOFpmfJBeYJ0*qi}!BiDb0uJKN5q`7Wu3Uewh8utU)|XI-L%q+V5JET&M=
zL&D|f9JYY9S!s*Q;7tT)`(<>~x^q>{8L>73pZXic$_~_Tptm$@-JrxI6*nXiVtB2d
zQa`O)KeA*D4le4F9Y@(ztRwh`Lu)<clAce;1Wp9j(bQ`;4F{Qq)+QJxUF(!b54X(v
ztWC<SQ-P}CfuK3dn#`DwD3Lb&W%af>&wx(&>NlOzYf1(WM_;9dINq}%@_I|GGi~bX
zKmA#>EpMO5fQ07Ofcb_AR8V-<*+fk1Y*XoKyN-0BTjO9XxTdTPz9-ooy3!#^T|nks
zbnrd;(aB`2Ba?2VE|3QANX(EjPIzVQ+?$h#oY%&%LeZq|Jje0N0W>OKRS5cK21}C&
zim!cBD6QYdqquFbU55{)%QNKTeyO#srmt!p?M;pekaAvZV@S6e-22h4RXf?|iOtc$
zQF+<1Whj(V)6_!ZJg<#Jv`zSh1t}*U_8<g5hh&#MQ(2Gd)-jM00sT1miN?RcQ-yik
zLF&j&JK=2xDuXJhQ@KDyG)R1^<5O<iMjI4a!ZG#N841{Pr)$SpPSiOGDE*{okYUt=
z`p;ER;H3$dwahMV?HO~c9yWxpzpH2<%wcZt3F<oybZ^QzDdXJj135~d$d*8ozwW)S
z$YYH?Qn7$0#Mxq~zEH_D(T7sps~%35C-iCrER<-kO-pMtAL%7$3C4Pm+P81em~<47
z;HUPb3xAeR$x)`!23xG{;CpM=xdO&(A(1?f0Jr%xGTy7)BFOe{ahF`2*A=(HZp?x4
z#y(R7NV?q&cmXy)>mj|7z|EA9bqPH@%s%#Kpt@XUl5A&j*Ompb%^E|4pqp<Gd{O+*
zJLH<i{T`1Ue4Gp8nuyvk+cX8Y3EL`5LZXXNSSijFsu_*XnrSCJbhZxWjpmDJX?U|4
zfsa7gRo`;Ua<v~0A=|wonFoxK)5m8%O(pi7P!~l{C$bOO0k9GBqGs1rwRApZyQHVn
zYuB4K^Cy{fm<2X2uAH>KwX@uA(?4UKE-hsKl;wQXjC&}stz4tCj}t)<^X`ca^(Wv>
zcTVr@Q$Fu-5tZjsVqVO`nVWr>frKf90vl`8wWrB%c~Kv^i%Z=vf|A5B$og6CnI>ms
zCn<{BEg546>IDu?8T|t4^qhbEFlzs-SZ)^QB^uv|vF{-zbeRz>;e0Hpy(%DNbihY<
z_ULZ^cCB&{yRwbm_PTk)j2iaQMIYF*X{(t3ra>FqmiGS?b6!zVEZrW55r!Zjh#-t8
zFd~^D=O{9WAUQ}5k`aa+1qKF0gdsLj2@-}J9V8<;OE`$+BtbwKB#B78<2m<!p6@)~
zm(wp@ReP`Qs<pc7SF398|A75Sy~gdW(sKROnxMfLaKfFIpCo^Uz>+y?F!O*32$}?e
zA4c5BS1ztM;MBc~w|8$s)pihDEkTWDEai$H6kk7!ycX|Ai|Z`&v|KduU9a6Pw9iNq
zQ6L{4P>#+JUk7}B5w7;Z``P{1;}&_Z-><A<epw-#rKc+<*&*gt?YQ0xFk8r75|)H0
zPb$}K7|UciyQRqlAMD<@I1RZhJ{A{IYA4Es{DTwcCer}v{b-M!rmk??jBu>$NZHP>
zuxLzxo&0oO>u^QH3J<4cefRB6lR5s7cHe&2Z!Ei8^<k_z!a(GE>y-t}IFSslBj5$j
zZ-fcU11Yu;!MTbQeO;GWppYKTwP+2N^>#JOe=aEITAf`hF+4Y`U+2*A`D_xa>n!eu
ztUmO*5sc_5MaXveb_NEB!mcCH$GOopONFk=TPAgB@8v8Zva`7lX{A)73&4&jqI3z=
zee_ahS6_W)X?_JRkjb62H^-#HG;Wc??4;PFLe9bx5?9wG5(w3h`!urg?cH-#i;J`B
zbJeiX7&8O6{zA0etc9uOtoVNEg@ZX#ig|Kh&N;gQW|jS_mhpzvn@YF(eX-dkIO*F<
z{ADDYlqAe(Vm%G`D;=Cm=C0FalZt*#6Au-_Ppkdisf-1?B~`j6#4#x(mnYc4SCc_E
zu9DE##|x?eWwKkv^R~pP-_JF1!}|t|g$8{chepp!mbIar%zf}ls&+vmLaAFw7Yf#i
zJ-ck?&zWre7e&EueS)^kunbEkbEm5l(Sj?h0|D776~_gbqu|gLl`4^DlBi9u!_=q9
zmWqORj`B*xPt8_u`SlJ&&cO-$6p4lEiC`08y`;B=hOD`fl8BnQy6tO^q7j!0V_wzG
z3y4{Ttk0i@t01r~eXK1|(j^V#lrLB}Q7DuwB~0&b2yK6uXar+VUd6onlsv;G?hQ(<
z`Xa6RL-U@`0!iY+1;Nw96}9M)*Cz>w^SeRr$6I7Fn=|99t9F>1hWI=?WtQEWKg}7r
ziOruv334udQV__(F!ky|-W$`V*YztzrC3f}oq&Wf<?g`9MjneCR|zyB2gzYW=QlrS
z?9Z6?>Jhy^U-6gy_UaKrN#bl96wF%A#W5TOH9XYF&^Km3K!s|~B$VZ{`EANp^=<0r
zP#u5v4mQl7fh#PZ&HBHI9U_&l{YtoUMZ)XJz}x2>UD}J4J$BR0Ee4dH8=3k2x#Mr{
zty!0t3dtEccmLr-#c!&{jodb{9h&M#QI_eO;j;{ho+nugM_abMRTwWaEDy{y)p(;z
zXSH{;l`WkDl^#WLJCzMn($3nzRgp=TR&$N(zS<Hz@;fuRaQ<v|rELGt^<gs^mz9z{
z3OSDVJJ9fxlOd&HsPNs;SYwod6pGy^JcJ&e3BAYcK{P)Wa@0t%k9_=&X{0HbX~}4j
z?~^l6pOzUrNw``x>?yA>T|&}Axg?Xa_EqBb{5sL+>#c3X`no|s*hxak3yw@gUMDqm
zD|i>!&8<!u!p=C8iNFW1_4tZpj2WwDxR*?4Uy`VUng^@uYgYVm{s_?8w0|rQU%A`k
zhb-!>jV=`9dMh@lL!>&V%G_1lcpsm&B)N}czuj6=Au9XQXK!c>r#5T+N5Ulf<ini3
z%}gDnfVOWc9h0K;wEseeA`5>x)H+;v#$6p^1V7<*jBa_8;B-jmcx*aYk|-JZhzK;V
z`PO%3ol9q>U#Pcj>`j%da2c<}Nn>}|<t+<sU}AEEenr2B9hovAY^(LUqM4<TM<Pc-
zkL{0MC3HLm#>7kDW9ZWYAEWlQT2IFjSzYO&lXs84hLYPiFc{wXr1Ov-n)iihlamHr
zR-B|7nZpw*>d8*>>YOBqL34K0)nH|C;q5(quudwyTBe3MIUGkJmq4wYNjZ*FQFoJ3
z%Ce!;vPz*gs6zI<@XjQSB+iG_edA};bmL?>GA2WVF+CX@#>RQu>a5FVMw^n~PqS+8
z`B)X#RCU&r7Q+VG5EkYE+Qnya(FFaI<M((de1+~8r4ZMZEI_-A@*D4EHMXe%Kg&8)
z)a&TFRATfKz5J_0L&GOtK6v)f5!ty%GC2KfWG9XL0t?0!zFFcN_5kL)s8)v^PnL*b
zuS%H0z=Dh|LQ6l(!*gIg>8$QNW;*+PZTXLHe=&rRJvZn-3}HqJ{W?B@dDuF8j{h4t
zLH>;={{~Kwf8)u&ffMB4c=B)H1o=0f{J(MXS$DC9ITzIe^SIJ%ZL74MOJI`&Vl)L^
ze{zX?U`Dr$TDyx$+<4o>H>wm~7y6-RXcocnN}z2Y5sW|RubVbsjW?$ua^u*N4&!=|
z-bOTdw}hqb#cDgGlVU}Ca+`gN8GV5N<S|po_fwAM{?gwrJ@|$Ukv-YPz!gT%R8F>!
z-bn-<5@mV0IC*$r$EbKyjk#{eAH@b%QY3>aWobf2L)};yMs#AWxhd_+U%a2SVS%d&
zJRy4$bC(LK?Ux#EF9-=TO#4M#yNg)ILVuSEYi^L;#cp%fk0Bm$XhyIvVQc(E60JR)
zhW9DQFgG7<KzkbpPQ^g`YV*M@!_|XgEs~&pDS6)ENGQwhIZno?*DjoS_It=K2~(r!
z+Ds?ya?!U()>!8S^U?^(1C22oZKvs+JwbgKBQl$}cG*Gt`SprBbiSo;?6z#$!4oAF
z`J+szdjr+!@Tvu47AL(jgLfJ*j_KkkfuFG!i4Vc;58)9BYKb}@m*VHHO%9VkG>%Hj
zyR!rBI==FZaSS&ynYDWAxem*!b^oXh&Zf2Vqv<$1vxC|vq`y|U&v%#S=3QE8MTO{G
zjRa)Q6-gArQ6bPQ!e7uLcHK;#YNza5id!w6O%V*Z)PaGg%BG}8si=ONV4}+7e1Y;D
zn|;~2Z?S|bDSr192vZ=|J>`RF4a`4&Eu|}r@Nni$4Ng)8T?)`Dq1U@rPGRUm=T_k|
z6vj@tU~6bPv)g<qBObc9CDWUnVjv;N9*-=bo)-f<mADJtJz>AbhIrxQw3<@QMBG$k
zgY_8DZ66`rmr77hDx&WDLZBM0dZP97K%-bbt*B{`oGK@COU6}$H9plKL9l}nSI-_(
zmK&5((``PjB6<=f5>#QU-_O*=0}9<PoN3zKzgE0!lWuM4Xf&0@Xh5G4G{4+Ve2A<p
zdhqp$SM)BoHLcp$bRkZyN9OS#=rXiexDz+5p~@-|V|-F+U)p4Ko643vW*chOvx+l6
z2Q8L<S9pdsr6@~u<6^&@pzV$FN+MOB&{MtBHJaS^QW6MLzX+2<7rJbSm+snro5|@{
z#i~VPG&uO5<@$iLRY>!O!C!px*(H#-pqg*Uiv-k2c??&&8a0TzKsqtAKT^>g64$5$
z%ZZf3bgVVJ_{z0^6j1M0lpSOQ1Z&Q+HdW~vPg%`;)VpqLS;x=cQZ#<v3lCX+@+F5Z
zLOT7n-XO|E-<4*WS7)A8(`*UTA825eUocDlIKPMcL8HvnO9jOzL-~pYHLX_CKf~6X
z@k84Sn)i3*o0J}T1z`Kfjv<^@SUOEenRWhM7F*XWA@L$^%?8Oe&w+E3i=Hjb3y<9m
z-#>8zpe?!Z2lcg<NhE-3EH$8O2PG83`q+&V0_<^AfT4pdcGyYeGGO4yhvoPANC>Dp
z+yZi(_<&@Gb^zqVmlx(ph$Zq%BO=y4tQE?@<^=K)BJu0TM(H<+7?WpR#I-qv-VE^+
zd_KBdV%ksCP+jA@i<-5x97fUeN^*O<yDy?&1)14aGUU4Z^mpZ3G8((hObsQTnJ<2}
zFr<HARL*Vh-fxWFDmXo|A~Z)`KH`yx3#I7c6`ba5=bujLQyaeRTy5Z<$n6ZuHZ7vV
z2sqb2Lhj^>^%cV1yPvRO=(rYWJ_p;_kf>7L#w<Q7;TUbJ?tt*YVeF`EC$f7t7hN_I
zumdw%Uq5J&G_21-z;0y=_l4=j)P)`GTG06xJI|Y#OM^eoO%3xX7{EkSg!HT$mJ00y
zy60DfL6n<<Dg;D&tBMUeRr=GKbm;jXE%#qzk*CD7J;XP4PvA+%qRON_y2pK?r_h8F
z9=c7~*%om3?CqKTuu1cc>pLI4QU%e{a7X|@$xsn?HI}Ja2Koc*x;R-^mO=l)5vFAR
zenPSDrz!m;vauX?EL|6&6g2t+*<;kpSuyb#)@^STC}k~kHR&vryCdc@j)l3WsMSo3
zdehG!-@(_7c22r@|1$pt=$FnV*>z>CT{B+ivKH%)#LHZE{CJUJlSE^aEHb|VAEbC7
zT`R3FR||LP-zZ{Vs9bb!ZuDttpPK(UHs~qG2GjKJHr{c_P|y7+6w6?U6S9tGYm^T*
z4@5J7ZH4tEFFzP3R8HMHlTHYj47mc1PYCa3<G$xmn~?|0F{sb4!93g!EC)5bTY`<m
zL_8_XcB(>#R<0bOI=MoISWHCnEJZjGvpcQ1=^td7<(QfxLNHUJ>b5oH<CtdQ8EG$n
z%WMq@cYEQ3yIv%tnhW6?Jt$2x_t6rREZLx`J}Ih|sEe{F*r8bH7RI5omiT6dy+iQW
z)CA2*4s}2Vn^Us*0J!7JAb8#R5ha+vRq7)0jsjAlz1Wg8Yse8dF2=n2*;JvYx#~KD
z0;k}8nU`9G!Tq{xoy?Kqy34|yZPH6yh*s?QA1czd_e7rIu17h)T|k;#;cTt$1)uLh
z7fuJG$2*r@*2)?l;pVtX$#=%TJK)UbIcK#UY7j9&T_>M6D)d9vF~ecYTHIF{=iBQK
z1X=hH4%zRZ2|UIK`A-e<jrIJ=d@N5>{9bMFA6Oklcz9Q%#RYFJvaufxJ_r6%-NYKA
z{7K3FBV-NCMClOH0DRH6Zv0d47$0Nvzn3Rq7Y)7fTj7*|0P=sPKkr3AUNj%mZ#ho_
z0*3#xQ&J^TK>#qC`o{0%-GBOs0fJ~AfF2D2Daj>L(E-fybbu+owyXi<h|>WvXl_ue
zJ`gNN4~*c8frh{dnwjaJF+soI>Sqdw#jrE|-YFp<xc%FTFFCscCq{RG%ou8>-%H_t
zI!$@woo)cDF%Y0U2H&&5UsXb3KrogOIL9{-gaVLQRnSQ&pl!zm#Nj7C)mR7!6ppX5
z5evZ{J0bx3IBpPG1ke<F2e6NWfNT?h(^zgG8}Akc0E%&UfTdW-CC?-RVB4D!$izE$
zCIkI(@}R_2fIMCaB$W<m;Wd^1oE3qPcsh{DOCUA=Hq(E8Lwuep^?wZvmI+M6%Yay3
z1J@GdL1DQ-P69o!7)}mI;k)-N0RnoFk8e^1#TWc(*@`3wC=*GkZV}ufkie^)rxyKs
G+W!C{q$IEa

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 741393e93..82d83cea3 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -431,29 +431,22 @@
                             }
                         },
                         {
-                            "name": "enableAgentHealth",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy Agent Health solution",
-                            "defaultValue": "Yes (recommended)",
-                            "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
+                            "name": "userAssignedIdentityResourceGroup",
+                            "type": "Microsoft.Common.TextBox",
+                            "label": "Resource group for the User Assigned Managed Identity for AMA",
+                            "toolTip": "Resource group for the User Assigned Managed Identity for Azure Monitor Agent. Will be created in all subscriptions in scope for the policy",
+                            "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]",
+                            "defaultValue": "rg-ama-prod-001",
                             "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Yes (recommended)",
-                                        "value": "Yes"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "No"
-                                    }
-                                ]
-                            },
-                            "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
+                                "required": "[equals(steps('management').enableLogAnalytics,'Yes')]",
+                                "regex": "^[a-zA-Z0-9][a-zA-Z0-9-_.()]{0,89}[a-zA-Z0-9]$",
+                                "validationMessage": "Please provide a valid resource group name"
+                            }
                         },
                         {
                             "name": "enableChangeTracking",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy Change Tracking solution",
+                            "label": "Deploy Change Tracking",
                             "defaultValue": "Yes (recommended)",
                             "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
                             "constraints": {
@@ -473,7 +466,7 @@
                         {
                             "name": "enableUpdateMgmt",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy Update Management solution",
+                            "label": "Deploy Azure Update Manager",
                             "defaultValue": "Yes (recommended)",
                             "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
                             "constraints": {
@@ -493,67 +486,7 @@
                         {
                             "name": "enableVmInsights",
                             "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy VM Insights solution",
-                            "defaultValue": "Yes (recommended)",
-                            "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
-                            "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Yes (recommended)",
-                                        "value": "Yes"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "No"
-                                    }
-                                ]
-                            },
-                            "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
-                        },
-                        {
-                            "name": "enableSqlAssessment",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy SQL Assessment solution",
-                            "defaultValue": "Yes (recommended)",
-                            "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
-                            "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Yes (recommended)",
-                                        "value": "Yes"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "No"
-                                    }
-                                ]
-                            },
-                            "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
-                        },
-                        {
-                            "name": "enableSqlVulnerabilityAssessment",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy SQL Vulnerability Assessment solution",
-                            "defaultValue": "Yes (recommended)",
-                            "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
-                            "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Yes (recommended)",
-                                        "value": "Yes"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "No"
-                                    }
-                                ]
-                            },
-                            "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
-                        },
-                        {
-                            "name": "enableSqlAdvancedThreatProtection",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy SQL Advanced Threat Protection solution",
+                            "label": "Deploy VM Insights",
                             "defaultValue": "Yes (recommended)",
                             "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continuous compliance.",
                             "constraints": {
@@ -659,17 +592,17 @@
                             "name": "vulnerabilityAssessmentProvider",
                             "type": "Microsoft.Common.OptionsGroup",
                             "label": "Choose the Microsoft Defender for Cloud for servers vulnerability assessments provider",
-                            "defaultValue": "Microsoft Defender for Cloud integrated Qualys scanner (recommended)",
+                            "defaultValue": "Microsoft Defender vulnerability management (recommended)",
                             "toolTip": "Choose the preferred vulnerability assessment provider for Microsoft Defender for Cloud for servers vulnerability assessments.<br>Uses the custom initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html\">Deploy Microsoft Defender for Cloud configuration</a>.",
                             "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('management').enableAscForServersVulnerabilityAssessments,'DeployIfNotExists'))]",
                             "constraints": {
                                 "allowedValues": [
                                     {
-                                        "label": "Microsoft Defender for Cloud integrated Qualys scanner (recommended)",
+                                        "label": "Microsoft Defender for Cloud integrated Qualys scanner",
                                         "value": "default"
                                     },
                                     {
-                                        "label": "Microsoft Defender vulnerability management",
+                                        "label": "Microsoft Defender vulnerability management (recommended)",
                                         "value": "mdeTvm"
                                     }
                                 ]
@@ -934,26 +867,6 @@
                                 ]
                             },
                             "visible": "[equals(steps('management').enableAsc,'Yes')]"
-                        },
-                        {
-                            "name": "enableSecuritySolution",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Deploy Microsoft Sentinel",
-                            "defaultValue": "Yes (recommended)",
-                            "toolTip": "If 'Yes' is selected the Microsoft Sentinel solution will be deployed and enabled on the Log Analytics workspace created by the Azure Landing Zone deployment.",
-                            "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Yes (recommended)",
-                                        "value": "Yes"
-                                    },
-                                    {
-                                        "label": "No",
-                                        "value": "No"
-                                    }
-                                ]
-                            },
-                            "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
                         }
                     ]
                 },
@@ -3196,6 +3109,30 @@
                                     },
                                     "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
                                 },
+                                {
+                                    "name": "enableVmHybridMonitoring",
+                                    "type": "Microsoft.Common.OptionsGroup",
+                                    "label": "Ensure Hybrid VMs are being monitored",
+                                    "defaultValue": "Yes (recommended)",
+                                    "toolTip": "Enabling this Azure Policy will ensure that Azure Arc Enabled Hybrid VMs are monitored.",
+                                    "constraints": {
+                                        "allowedValues": [
+                                            {
+                                                "label": "Yes (recommended)",
+                                                "value": "Yes"
+                                            },
+                                            {
+                                                "label": "Audit only",
+                                                "value": "Audit"
+                                            },
+                                            {
+                                                "label": "No",
+                                                "value": "No"
+                                            }
+                                        ]
+                                    },
+                                    "visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
+                                },
                                 {
                                     "name": "enableAksPolicy",
                                     "type": "Microsoft.Common.OptionsGroup",
@@ -3939,15 +3876,11 @@
                 "telemetryOptOut": "[steps('core').cuaSection.telemetryOptOut]",
                 "enforceKvGuardrailsPlat": "[steps('management').esPlatformMgmtGroup.enforceKvGuardrailsPlat]",
                 "enableLogAnalytics": "[steps('management').enableLogAnalytics]",
-                "retentionInDays": "[string(steps('management').retentionInDays)]",
-                "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]",
-                "enableAgentHealth": "[steps('management').enableAgentHealth]",
                 "enableChangeTracking": "[steps('management').enableChangeTracking]",
                 "enableUpdateMgmt": "[steps('management').enableUpdateMgmt]",
                 "enableVmInsights": "[steps('management').enableVmInsights]",
-                "enableSqlAssessment": "[steps('management').enableSqlAssessment]",
-                "enableSqlVulnerabilityAssessment": "[steps('management').enableSqlVulnerabilityAssessment]",
-                "enableSqlAdvancedThreatProtection": "[steps('management').enableSqlAdvancedThreatProtection]",
+                "retentionInDays": "[string(steps('management').retentionInDays)]",
+                "managementSubscriptionId": "[steps('management').esMgmtSubSection.esMgmtSub]",
                 "enableAsc": "[steps('management').enableAsc]",
                 "emailContactAsc": "[steps('management').emailContactAsc]",
                 "enableAscForServers": "[steps('management').enableAscForServers]",
@@ -3966,7 +3899,6 @@
                 "enableAscForDns": "[steps('management').enableAscForDns]",
                 "enableAscForContainers": "[steps('management').enableAscForContainers]",
                 "enableMDEndpoints": "[steps('management').enableMDEndpoints]",
-                "enableSecuritySolution": "[steps('management').enableSecuritySolution]",
                 "enableMonitorBaselines": "[steps('monitor').enableMonitorBaselines]",
                 "monitorAlertsResourceGroup": "[steps('monitor').monitorAlertsResourceGroup]",
                 "emailContactActionGroup": "[steps('monitor').emailContactActionGroup]",
@@ -4020,6 +3952,7 @@
                 "enableEncryptionInTransit": "[steps('landingZones').lzSection.enableEncryptionInTransit]",
                 "enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]",
                 "enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]",
+                "enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]",
                 "enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]",
                 "denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]",
                 "denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]",
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index aeaf204ea..4da865bc6 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -48,14 +48,6 @@
                 "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for management. If you don't want to bring a subscription, leave this parameter empty as is."
             }
         },
-        "enableAgentHealth": {
-            "type": "string",
-            "defaultValue": "No",
-            "allowedValues": [
-                "Yes",
-                "No"
-            ]
-        },
         "enableChangeTracking": {
             "type": "string",
             "defaultValue": "No",
@@ -80,30 +72,6 @@
             ],
             "defaultValue": "Yes"
         },
-        "enableSqlAssessment": {
-            "type": "string",
-            "allowedValues": [
-                "Yes",
-                "No"
-            ],
-            "defaultValue": "Yes"
-        },
-        "enableSqlVulnerabilityAssessment": {
-            "type": "string",
-            "allowedValues": [
-                "Yes",
-                "No"
-            ],
-            "defaultValue": "Yes"
-        },
-        "enableSqlAdvancedThreatProtection": {
-            "type": "string",
-            "allowedValues": [
-                "Yes",
-                "No"
-            ],
-            "defaultValue": "Yes"
-        },
         "enableAsc": {
             "type": "string",
             "defaultValue": "No",
@@ -140,7 +108,7 @@
         },
         "vulnerabilityAssessmentProvider": {
             "type": "string",
-            "defaultValue": "default",
+            "defaultValue": "mdeTvm",
             "allowedValues": [
                 "default",
                 "mdeTvm"
@@ -253,12 +221,13 @@
         },
         "enableSecuritySolution": {
             "type": "string",
-            "defaultValue": "No",
+            "defaultValue": "Yes",
             "allowedValues": [
                 "Yes",
                 "No"
             ]
         },
+
         "enableMonitorBaselines": {
             "type": "string",
             "defaultValue": "",
@@ -632,6 +601,18 @@
                 "description": "If 'Yes' is selected, policy will be assigned to enforce VMSS monitoring."
             }
         },
+        "enableVmHybridMonitoring": {
+            "type": "string",
+            "defaultValue": "No",
+            "allowedValues": [
+                "Yes",
+                "Audit",
+                "No"
+            ],
+            "metadata": {
+                "description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring."
+            }
+        },
         "enableAksPolicy": {
             "type": "string",
             "defaultValue": "No",
@@ -843,6 +824,14 @@
             "metadata": {
                 "description": "The current date and time using the utcNow function. Used for deployment name uniqueness"
             }
+        },
+        "userAssignedIdentityResourceGroup": {
+            "type": "string",
+            "defaultValue": "rg-ama-prod-001",
+            "maxLength": 90,
+            "metadata": {
+                "description": "Name of the resource group to be created for the User Assigned Managed Identity in each subscription."
+            }
         }
     },
     "variables": {
@@ -914,6 +903,8 @@
             "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]",
             "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]",
             "monitoring": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsWorkspace.json')]",
+            "dataCollectionRuleVmInsights": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-VmInsights.json')]",
+            "userAssignedIdentity": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/userAssignedIdentity.json')]",
             "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]",
             "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]",
             "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]",
@@ -927,6 +918,7 @@
             "atpSqlDbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json')]",
             "azVmMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json')]",
             "azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]",
+            "azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]",
             "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]",
             "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]",
             "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]",
@@ -959,10 +951,20 @@
             "classicResourcesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json')]",
             "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]",
             "costOptimizationPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json')]",
+            "zoneResilientPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json')]",
+            "resourceRgLocationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json')]",
             "VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]",
             "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]",
             // references to https://github.com/Azure/azure-monitor-baseline-alerts
-            "monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]"
+            "monitorPolicyDefinitions": "[uri(variables('rootUris').monitorRepo, 'patterns/alz/alzArm.json')]",
+            "userAssignedIdentityPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-UserAssignedIdentityVMInsightsAssignment.json')]",
+            "azureUpdateManagerPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json')]",
+            "dataCollectionRuleChangeTracking": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-CT.json')]",
+            "ChangeTrackingVmPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json')]",
+            "ChangeTrackingVmArcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json')]",
+            "ChangeTrackingVmssPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json')]",
+            "MDFCDefenderSqlAma": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json')]",
+            "dataCollectionRuleMdfcDefenderSQL": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/dataCollectionRule-DefenderSQL.json')]"
         },
         // Declaring deterministic deployment names
         "deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]",
@@ -980,6 +982,7 @@
             "ddosHubPolicyDeploymentName": "[take(concat('alz-DDoSHubPolicy', variables('deploymentSuffix')), 64)]",
             "ddosLzPolicyDeploymentName": "[take(concat('alz-DDoSLZPolicy', variables('deploymentSuffix')), 64)]",
             "monitoringDeploymentName": "[take(concat('alz-Monitoring', variables('deploymentSuffix')), 64)]",
+            "dataCollectionRuleVmInsightsDeploymentName": "[take(concat('alz-DataCollectionRuleVmInsights', variables('deploymentSuffix')), 64)]",
             "logAnalyticsPolicyDeploymentName": "[take(concat('alz-LAPolicy', variables('deploymentSuffix')), 64)]",
             "monitorConnectivityDeploymentName": "[take(concat('alz-ConnectivityMonitor', variables('deploymentSuffix')), 64)]",
             "monitorIdentityDeploymentName": "[take(concat('alz-IdentityMonitor', variables('deploymentSuffix')), 64)]",
@@ -999,6 +1002,7 @@
             "nvaConnectivityHubDeploymentName": "[take(concat('alz-NVAHub', variables('deploymentSuffix')), 64)]",
             "azVmMonitorPolicyDeploymentName": "[take(concat('alz-AzVmMonitor', variables('deploymentSuffix')), 64)]",
             "azVmssMonitorPolicyDeploymentName": "[take(concat('alz-AzVmssMonitor', variables('deploymentSuffix')), 64)]",
+            "azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]",
             "azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]",
             "azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]",
             "azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]",
@@ -1043,10 +1047,22 @@
             "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
             "denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]",
             "costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]",
+            "zoneResilientDeploymentName": "[take(concat('alz-ZoneResilient', variables('deploymentSuffix')), 64)]",
+            "resourceRgLocationDeploymentName": "[take(concat('alz-ResourceRGLoc', variables('deploymentSuffix')), 64)]",
             "denyVMUnmanagedDiskPolicyDeploymentName": "[take(concat('alz-NoUnmanagedDiskResource', variables('deploymentSuffix')), 64)]",
             "ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]",
             "ambaPortalPidCuaDeploymentName": "[take(concat('pid-', variables('ambaPortalCuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]",
-            "diagnosticSettingsforMGsDeploymentName": "[take(concat('alz-DiagSettingsMGs', variables('deploymentSuffix')), 64)]"
+            "diagnosticSettingsforMGsDeploymentName": "[take(concat('alz-DiagSettingsMGs', variables('deploymentSuffix')), 64)]",
+            "userAssignedIdentityRgDeploymentName": "[take(concat('alz-UserAssignedIdentityRg', variables('deploymentSuffix')), 60)]",
+            "userAssignedIdentityDeploymentName": "[take(concat('alz-UserAssignedIdentity', variables('deploymentSuffix')), 60)]",
+            "userAssignedIdentityPolicyDeploymentName": "[take(concat('alz-UserAssignedIdentityPolicy', variables('deploymentSuffix')), 64)]",
+            "azureUpdateManagerPolicyDeploymentName": "[take(concat('alz-AzureUpdateManager', variables('deploymentSuffix')), 64)]",
+            "dataCollectionRuleChangeTrackingDeploymentName": "[take(concat('alz-DataCollectionRuleChangeTracking', variables('deploymentSuffix')), 64)]",
+            "ChangeTrackingVmDeploymentName": "[take(concat('alz-ChangeTracking-VM', variables('deploymentSuffix')), 64)]",
+            "ChangeTrackingVmArcDeploymentName": "[take(concat('alz-ChangeTracking-VMArc', variables('deploymentSuffix')), 64)]",
+            "ChangeTrackingVmssDeploymentName": "[take(concat('alz-ChangeTracking-VMSS', variables('deploymentSuffix')), 64)]",
+            "MDFCDefenderSqlAmaDeploymentName": "[take(concat('alz-MDFCDefenderSqlAma', variables('deploymentSuffix')), 64)]",
+            "dataCollectionRuleMdfcDefenderSQLDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQL', variables('deploymentSuffix')), 64)]"
         },
         "esLiteDeploymentNames": {
             "mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]",
@@ -1065,7 +1081,10 @@
             "ddosHubLitePolicyDeploymentName": "[take(concat('alz-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]",
             "privateDnsZoneRgLiteDeploymentName": "[take(concat('alz-PrivDNSRGLite', variables('deploymentSuffix')), 64)]",
             "privateDnsZonesLiteDeploymentName": "[take(concat('alz-PrivDNSLite', variables('deploymentSuffix')), 35)]",
-            "monitorPolicyLiteDeploymentName": "[take(concat('alz-MonitorPolicyLite', variables('deploymentSuffix')), 64)]"
+            "monitorPolicyLiteDeploymentName": "[take(concat('alz-MonitorPolicyLite', variables('deploymentSuffix')), 64)]",
+            "dataCollectionRuleVmInsightsLiteDeploymentName": "[take(concat('alz-DataCollectionRuleVmInsightsLite', variables('deploymentSuffix')), 64)]",
+            "dataCollectionRuleChangeTrackingLiteDeploymentName": "[take(concat('alz-DataCollectionRuleChangeTrackingLite', variables('deploymentSuffix')), 64)]",
+            "dataCollectionRuleMdfcDefenderSQLLiteDeploymentName": "[take(concat('alz-DataCollectionRuleDefenderSQLLite', variables('deploymentSuffix')), 64)]"
         },
         // Declaring deterministic names for Resource Groups that will be created for platform resources
         "platformRgNames": {
@@ -1079,6 +1098,10 @@
         // Declaring deterministic names for platform resources that will be created
         "platformResourceNames": {
             "logAnalyticsWorkspace": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-law')]",
+            "dataCollectionRuleVmInsights": "[concat('dcr-vminsights-prod-', parameters('connectivityLocation'), '-001')]",
+            "dataCollectionRuleChangeTracking": "[concat('dcr-changetracking-prod-', parameters('connectivityLocation'), '-001')]",
+            "dataCollectionRuleMdfcDefenderSql": "[concat('dcr-defendersql-prod-', parameters('connectivityLocation'), '-001')]",
+            "userAssignedIdentity": "[concat('id-ama-prod-', parameters('connectivityLocation'), '-001')]",
             "automationAccount": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-aauto')]",
             "vpnGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vpngw-', parameters('connectivityLocation'))]",
             "erGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ergw-', parameters('connectivityLocation'))]",
@@ -1098,6 +1121,9 @@
         "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]",
         "platformResourceIds": {
             "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]",
+            "dataCollectionRuleVmInsightsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Insights/dataCollectionRules/', variables('platformResourceNames').dataCollectionRuleVmInsights)]",
+            "dataCollectionRuleChangeTrackingResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Insights/dataCollectionRules/', variables('platformResourceNames').dataCollectionRuleChangeTracking)]",
+            "dataCollectionRuleMdfcDefenderSQLResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Insights/dataCollectionRules/', variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql)]",
             "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]",
             "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]",
             "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]",
@@ -1183,6 +1209,7 @@
         },
         "privateDnsZonesMerge": "[if(and(contains(variables('azBackupGeoCodes'), parameters('connectivityLocation')), contains(variables('privateDnsZones'), 'privatelink.regionGeoShortCode.backup.windowsazure.com')), union(createArray(replace(variables('privateDnsZones')[0], '.regionGeoShortCode.', concat('.', variables('azBackupGeoCodes')[toLower(parameters('connectivityLocation'))], '.'))), variables('privateDnsZones')), variables('privateDnsZones'))]",
         "privateDnsZonesMergedWithBackupPlaceholderRemoved": "[filter(variables('privateDnsZonesMerge'), lambda('i', not(equals(lambdaVariables('i'), 'privatelink.regionGeoShortCode.backup.windowsazure.com'))))]",
+        "subscriptionIds": "[union(parameters('onlineLzSubscriptionId'), parameters('corpLzSubscriptionId'), parameters('corpConnectedLzSubscriptionId'), if(empty(parameters('singlePlatformSubscriptionId')), createArray(parameters('managementSubscriptionId'), parameters('connectivitySubscriptionId'), parameters('identitySubscriptionId')), createArray(parameters('singlePlatformSubscriptionId'))))]",
         "roleDefinitions": {
             "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7"
         },
@@ -1570,8 +1597,170 @@
             }
         },
         {
-            // Deploying Log Analytics solutions to Log Analytics workspace if condition is true
-            "condition": "[and(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')),  equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableSqlAssessment'), 'Yes')), equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')), equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')))]",
+            // Deploying Data Collection Rule for Log Analytics workspace if condition is true
+            "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[parameters('managementSubscriptionId')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').dataCollectionRuleVmInsights]"
+                },
+                "parameters": {
+                    "WorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "WorkspaceLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "userGivenDcrName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleVmInsights]"
+                    }
+                }
+            }
+        },
+        {
+            // Deploying Data Collection Rule for Change Tracking if condition is true
+            "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[parameters('managementSubscriptionId')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').dataCollectionRuleChangeTracking]"
+                },
+                "parameters": {
+                    "WorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "WorkspaceLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "dataCollectionRuleName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleChangeTracking]"
+                    }
+                }
+            }
+        },
+        {
+            // Deploying Data Collection Rule for Mdfc Defender for SQL if condition is true
+            "condition": "[and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').dataCollectionRuleMdfcDefenderSQLDeploymentName]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[parameters('managementSubscriptionId')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').dataCollectionRuleMdfcDefenderSQL]"
+                },
+                "parameters": {
+                    "WorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "WorkspaceLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "userGivenDcrName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]"
+                    }
+                }
+            }
+        },
+        {
+            // Creating resource group for user assigned identity
+            "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(variables('subscriptionIds'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[concat(variables('deploymentNames').userAssignedIdentityRgDeploymentName, copyIndex())]",
+            "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]",
+                "onlineLzs",
+                "corpLzs",
+                "corpConnectedMoveLzs"
+            ],
+            "copy": {
+                "name": "userAssignedIdentityRg",
+                "count": "[length(variables('subscriptionIds'))]"
+            },
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').resourceGroup]"
+                },
+                "parameters": {
+                    "rgName": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "location": {
+                        "value": "[deployment().location]"
+                    }
+                }
+            }
+        },
+        {
+            // Deploying user assigned identity if condition is true
+            "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(variables('subscriptionIds'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[concat(variables('deploymentNames').userAssignedIdentityDeploymentName, copyIndex())]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[variables('subscriptionIds')[copyIndex()]]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "userAssignedIdentityRg"
+            ],
+            "copy": {
+                "name": "userAssignedIdentity",
+                "count": "[length(variables('subscriptionIds'))]"
+            },
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').userAssignedIdentity]"
+                },
+                "parameters": {
+                    "location": {
+                        "value": "[deployment().location]"
+                    },
+                    "userAssignedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "userAssignedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    }
+                }
+            }
+        },
+        {
+            // Deploying Sentinel to Log Analytics workspace if condition is true
+            "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
             "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]",
@@ -1599,27 +1788,6 @@
                     },
                     "enableSecuritySolution": {
                         "value": "[parameters('enableSecuritySolution')]"
-                    },
-                    "enableAgentHealth": {
-                        "value": "[parameters('enableAgentHealth')]"
-                    },
-                    "enableChangeTracking": {
-                        "value": "[parameters('enableChangeTracking')]"
-                    },
-                    "enableUpdateMgmt": {
-                        "value": "[parameters('enableUpdateMgmt')]"
-                    },
-                    "enableVmInsights": {
-                        "value": "[parameters('enableVmInsights')]"
-                    },
-                    "enableSqlAssessment": {
-                        "value": "[parameters('enableSqlAssessment')]"
-                    },
-                    "enableSqlAdvancedThreatProtection": {
-                        "value": "[parameters('enableSqlAdvancedThreatProtection')]"
-                    },
-                    "enableSqlVulnerabilityAssessment": {
-                        "value": "[parameters('enableSqlVulnerabilityAssessment')]"
                     }
                 }
             }
@@ -1834,6 +2002,54 @@
                 }
             }
         },
+        {
+            // Assigning Zone Resilient policy initiative to intermediate root management group
+            "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').zoneResilientDeploymentName]",
+            "scope": "[variables('scopes').eslzRootManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').zoneResilientPolicyInitiative]"
+                },
+                "parameters": {
+                    "enforcementMode": {
+                        "value": "Default"
+                    }
+                }
+            }
+        }, 
+        {
+            // Assigning Audit resource location matches resource group location policy to intermediate root management group
+            "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').resourceRgLocationDeploymentName]",
+            "scope": "[variables('scopes').eslzRootManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').resourceRgLocationPolicyAssignment]"
+                },
+                "parameters": {
+                    "enforcementMode": {
+                        "value": "Default"
+                    }
+                }
+            }
+        },        
         {
             // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]",
@@ -2583,15 +2799,17 @@
             }
         },
         {
-            // Assigning Azure Monitor for VMs policy initiative to intermediate root management group if condition is true
-            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')))]",
+            // Assigning Azure Monitor for VMs policy initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
             "name": "[variables('deploymentNames').azVmMonitorPolicyDeploymentName]",
-            "scope": "[variables('scopes').eslzRootManagementGroup]",
+            "scope": "[variables('scopes').platformManagementGroup]",
             "location": "[deployment().location]",
             "dependsOn": [
-                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]"
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]",
+                "userAssignedIdentity"
             ],
             "properties": {
                 "mode": "Incremental",
@@ -2600,91 +2818,707 @@
                     "uri": "[variables('deploymentUris').azVmMonitorPolicyAssignment]"
                 },
                 "parameters": {
-                    "logAnalyticsResourceId": {
-                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]"
                     },
                     "topLevelManagementGroupPrefix": {
                         "value": "[parameters('enterpriseScaleCompanyPrefix')]"
                     },
                     "enforcementMode": {
                         "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
                     }
                 }
             }
         },
         {
-            // Assigning Azure Monitor for VMSS policy initiative to intermediate root management group if condition is true
-            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmssMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')))]",
+            // Assigning Azure Monitor for VMs policy initiative to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmMonitoring'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
-            "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]",
-            "scope": "[variables('scopes').eslzRootManagementGroup]",
+            "name": "[variables('deploymentNames').azVmMonitorPolicyDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
             "location": "[deployment().location]",
             "dependsOn": [
-                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]"
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]",
+                "userAssignedIdentity"
             ],
             "properties": {
                 "mode": "Incremental",
                 "templateLink": {
                     "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]"
+                    "uri": "[variables('deploymentUris').azVmMonitorPolicyAssignment]"
                 },
                 "parameters": {
-                    "logAnalyticsResourceId": {
-                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]"
                     },
                     "topLevelManagementGroupPrefix": {
                         "value": "[parameters('enterpriseScaleCompanyPrefix')]"
                     },
                     "enforcementMode": {
-                        "value": "[if(equals(parameters('enableVmssMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
                     }
                 }
             }
         },
         {
-            // Assigning Azure Backup policy to landing zones management group if condition is true
-            "condition": "[or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableVmBackup'), 'Audit'))]",
+            // Assigning Azure Monitor for VMSS policy initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmssMonitoring'), 'Yes'), equals(parameters('enableVmssMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
-            "name": "[variables('deploymentNames').azBackupLzPolicyDeploymentName]",
-            "scope": "[variables('scopes').lzsManagementGroup]",
+            "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
             "location": "[deployment().location]",
             "dependsOn": [
-                "policyCompletion"
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]",
+                "userAssignedIdentity"
             ],
             "properties": {
                 "mode": "Incremental",
                 "templateLink": {
                     "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]"
+                    "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]"
                 },
                 "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]"
+                    },
                     "topLevelManagementGroupPrefix": {
                         "value": "[parameters('enterpriseScaleCompanyPrefix')]"
                     },
                     "enforcementMode": {
-                        "value": "[if(equals(parameters('enableVmBackup'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
                     }
                 }
             }
         },
         {
-            // Assigning DDoS Policy to enforce DDoS on virtual networks in landing zones management group if condition evaluates to true
-            "condition": "[and(or(equals(parameters('enableLzDdoS'), 'Yes'), equals(parameters('enableLzDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]",
+            // Assigning Azure Monitor for VMSS policy initiative to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmssMonitoring'), 'Yes'), equals(parameters('enableVmssMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
-            "name": "[variables('deploymentNames').ddosLzPolicyDeploymentName]",
+            "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]",
             "scope": "[variables('scopes').lzsManagementGroup]",
             "location": "[deployment().location]",
             "dependsOn": [
-                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]"
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]",
+                "userAssignedIdentity"
             ],
             "properties": {
                 "mode": "Incremental",
                 "templateLink": {
                     "contentVersion": "1.0.0.0",
-                    "uri": "[variables('deploymentUris').ddosPolicyAssignment]"
+                    "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning Azure Monitor for Arc-enabled VMs policy initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmHybridMonitoring'), 'Yes'), equals(parameters('enableVmHybridMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').azVmHybridMonitorPolicyDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').azVmHybridMonitorPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning Azure Monitor for Arc-enabled VMs policy initiative to landing management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmHybridMonitoring'), 'Yes'), equals(parameters('enableVmHybridMonitoring'), 'Audit')), equals(parameters('enableVmInsights'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').azVmHybridMonitorPolicyDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').azVmHybridMonitorPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleVmInsightsResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning User Managed Identity policy to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), or(equals(parameters('enableVmInsights'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists')))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').userAssignedIdentityPolicyDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleVmInsightsDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').userAssignedIdentityPolicyAssignment]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "DoNotEnforce"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "location": {
+                        "value": "[deployment().location]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning Azure Update Manager policy to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').azureUpdateManagerPolicyDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').azureUpdateManagerPolicyAssignment]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "Default"
+                    },
+                    "assessmentMode": {
+                        "value": "AutomaticByPlatform"
+                    },
+                    "locations": {
+                        "value": [ "asia", "asiapacific", "australia", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazil", "brazilsouth", "brazilsoutheast", "brazilus", "canada", "canadacentral", "canadaeast", "centralindia", "centralus", "centralusstage", "eastasia", "eastasiastage", "eastus", "eastusstage", "eastus2", "eastus2stage", "europe", "france", "francecentral", "francesouth", "germany", "germanynorth", "germanywestcentral", "global", "india", "israelcentral", "italynorth", "japan", "japaneast", "japanwest", "jioindiacentral", "jioindiawest", "korea", "koreacentral", "koreasouth", "northcentralus", "northcentralusstage", "northeurope", "norway", "norwayeast", "norwaywest", "polandcentral", "qatarcentral", "singapore", "southafrica", "southafricanorth", "southafricawest", "southcentralus", "southcentralusstage", "southindia", "southeastasia", "southeastasiastage", "sweden", "swedencentral", "switzerland", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "uae", "uk", "unitedstates", "unitedstateseuap", "westcentralus", "westeurope", "westindia", "westus", "westusstage", "westus2", "westus2stage", "westus3" ]
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning Azure Update Manager policy to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableUpdateMgmt'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').azureUpdateManagerPolicyDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').azureUpdateManagerPolicyAssignment]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "Default"
+                    },
+                    "assessmentMode": {
+                        "value": "AutomaticByPlatform"
+                    },
+                    "locations": {
+                        "value": [ "asia", "asiapacific", "australia", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazil", "brazilsouth", "brazilsoutheast", "brazilus", "canada", "canadacentral", "canadaeast", "centralindia", "centralus", "centralusstage", "eastasia", "eastasiastage", "eastus", "eastusstage", "eastus2", "eastus2stage", "europe", "france", "francecentral", "francesouth", "germany", "germanynorth", "germanywestcentral", "global", "india", "israelcentral", "italynorth", "japan", "japaneast", "japanwest", "jioindiacentral", "jioindiawest", "korea", "koreacentral", "koreasouth", "northcentralus", "northcentralusstage", "northeurope", "norway", "norwayeast", "norwaywest", "polandcentral", "qatarcentral", "singapore", "southafrica", "southafricanorth", "southafricawest", "southcentralus", "southcentralusstage", "southindia", "southeastasia", "southeastasiastage", "sweden", "swedencentral", "switzerland", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "uae", "uk", "unitedstates", "unitedstateseuap", "westcentralus", "westeurope", "westindia", "westus", "westusstage", "westus2", "westus2stage", "westus3" ]
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning ChangeTracking for VMs policy initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ChangeTrackingVmDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ChangeTrackingVmPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning ChangeTracking for VMs policy initiative to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ChangeTrackingVmDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ChangeTrackingVmPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning ChangeTracking for VMSS policy initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ChangeTrackingVmssDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ChangeTrackingVmssPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning ChangeTracking for VMSS policy initiative to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ChangeTrackingVmssDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ChangeTrackingVmssPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning ChangeTracking for Hyrbid VMs policy initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ChangeTrackingVmArcDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ChangeTrackingVmArcPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning ChangeTracking for Hyrbid VMs policy initiative to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ChangeTrackingVmArcDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').dataCollectionRuleChangeTrackingDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ChangeTrackingVmArcPolicyAssignment]"
+                },
+                "parameters": {
+                    "dataCollectionRuleResourceId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleChangeTrackingResourceId]"
+                    },
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmHybridMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning MDFC Defender for SQL AMA initiative to platform management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').MDFCDefenderSqlAmaDeploymentName]",
+            "scope": "[variables('scopes').platformManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').MDFCDefenderSqlAma]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "workspaceRegion": {
+                        "value": "[deployment().location]"
+                    },
+                    "dcrName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]"
+                    },
+                    "dcrResourceGroup": {
+                        "value": "[variables('platformRgNames').mgmtRg]"
+                    },
+                    "dcrId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleMdfcDefenderSqlResourceId]"
+                    },
+                    "userWorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "identityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').platformManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning MDFC Defender for SQL AMA initiative to landing zone management group if condition is true
+            "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').MDFCDefenderSqlAmaDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "userAssignedIdentity"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').MDFCDefenderSqlAma]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmMonitoring'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    },
+                    "workspaceRegion": {
+                        "value": "[deployment().location]"
+                    },
+                    "dcrName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]"
+                    },
+                    "dcrResourceGroup": {
+                        "value": "[variables('platformRgNames').mgmtRg]"
+                    },
+                    "dcrId": {
+                        "value": "[variables('platformResourceIds').dataCollectionRuleMdfcDefenderSqlResourceId]"
+                    },
+                    "userWorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "identityResourceGroup": {
+                        "value": "[parameters('userAssignedIdentityResourceGroup')]"
+                    },
+                    "userAssignedIdentityName": {
+                        "value": "[variables('platformResourceNames').userAssignedIdentity]"
+                    },
+                    "scope": {
+                        "value": "[variables('scopes').lzsManagementGroup]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning Azure Backup policy to landing zones management group if condition is true
+            "condition": "[or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableVmBackup'), 'Audit'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').azBackupLzPolicyDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "enforcementMode": {
+                        "value": "[if(equals(parameters('enableVmBackup'), 'Yes'), 'Default', 'DoNotEnforce')]"
+                    }
+                }
+            }
+        },
+        {
+            // Assigning DDoS Policy to enforce DDoS on virtual networks in landing zones management group if condition evaluates to true
+            "condition": "[and(or(equals(parameters('enableLzDdoS'), 'Yes'), equals(parameters('enableLzDdoS'), 'Audit')), not(empty(parameters('connectivitySubscriptionId'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').ddosLzPolicyDeploymentName]",
+            "scope": "[variables('scopes').lzsManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').ddosPolicyAssignment]"
                 },
                 "parameters": {
                     "ddosPlanResourceId": {
@@ -3864,11 +4698,11 @@
             }
         },
         /*
-            Note: ES Lite only: the following deployments will deploy Log Analytics solutions to the platform subscription
+            Note: ES Lite only: the following deployments will deploy Sentinel to the platform subscription
         */
         {
-            // Deploying Log Analytics solutions to Log Analytics workspace if condition is true
-            "condition": "[and(and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')),  equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableSqlAssessment'), 'Yes')), equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')), equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')))]",
+            // Deploying Sentinel to the Log Analytics workspace if condition is true
+            "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableSecuritySolution'), 'Yes'))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
             "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]",
@@ -3896,27 +4730,6 @@
                     },
                     "enableSecuritySolution": {
                         "value": "[parameters('enableSecuritySolution')]"
-                    },
-                    "enableAgentHealth": {
-                        "value": "[parameters('enableAgentHealth')]"
-                    },
-                    "enableChangeTracking": {
-                        "value": "[parameters('enableChangeTracking')]"
-                    },
-                    "enableUpdateMgmt": {
-                        "value": "[parameters('enableUpdateMgmt')]"
-                    },
-                    "enableVmInsights": {
-                        "value": "[parameters('enableVmInsights')]"
-                    },
-                    "enableSqlAssessment": {
-                        "value": "[parameters('enableSqlAssessment')]"
-                    },
-                    "enableSqlAdvancedThreatProtection": {
-                        "value": "[parameters('enableSqlAdvancedThreatProtection')]"
-                    },
-                    "enableSqlVulnerabilityAssessment": {
-                        "value": "[parameters('enableSqlVulnerabilityAssessment')]"
                     }
                 }
             }
@@ -4397,6 +5210,105 @@
                 }
             }
         },
+        /*
+            Note: ES Lite only: deploys Data Collection Rule for Log Analytics workspace
+        */
+        {
+            // Deploying Data Collection Rule for Log Analytics workspace if condition is true
+            "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('esLiteDeploymentNames').dataCollectionRuleVmInsightsLiteDeploymentName]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[parameters('singlePlatformSubscriptionId')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').dataCollectionRuleVmInsights]"
+                },
+                "parameters": {
+                    "WorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "WorkspaceLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "userGivenDcrName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleVmInsights]"
+                    }
+                }
+            }
+        },
+        /*
+            Note: ES Lite only: deploys Data Collection Rule for Change Tracking
+        */
+        {
+            // Deploying Data Collection Rule for Change Tracking if condition is true
+            "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableChangeTracking'), 'Yes'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('esLiteDeploymentNames').dataCollectionRuleChangeTrackingLiteDeploymentName]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[parameters('singlePlatformSubscriptionId')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').dataCollectionRuleChangeTracking]"
+                },
+                "parameters": {
+                    "WorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "WorkspaceLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "dataCollectionRuleName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleChangeTracking]"
+                    }
+                }
+            }
+        },
+        /*
+            Note: ES Lite only: deploys Data Collection Rule for Defender for SQL
+        */
+        {
+            // Deploying Data Collection Rule for Mdfc Defender for SQL if condition is true
+            "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAscForSqlOnVm'), 'DeployIfNotExists'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('esLiteDeploymentNames').dataCollectionRuleMdfcDefenderSQLLiteDeploymentName]",
+            "location": "[deployment().location]",
+            "subscriptionId": "[parameters('singlePlatformSubscriptionId')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').dataCollectionRuleMdfcDefenderSQL]"
+                },
+                "parameters": {
+                    "WorkspaceResourceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "WorkspaceLocation": {
+                        "value": "[deployment().location]"
+                    },
+                    "userGivenDcrName": {
+                        "value": "[variables('platformResourceNames').dataCollectionRuleMdfcDefenderSql]"
+                    }
+                }
+            }
+        },
         /*
             Note: ES Lite only: assigns policy for identity to enable Azure Backup
         */
diff --git a/eslzArm/eslzArm.terraform-sync.param.json b/eslzArm/eslzArm.terraform-sync.param.json
index cc3b188ef..4ee4086c5 100644
--- a/eslzArm/eslzArm.terraform-sync.param.json
+++ b/eslzArm/eslzArm.terraform-sync.param.json
@@ -63,7 +63,7 @@
             "value": "DeployIfNotExists"
         },
         "vulnerabilityAssessmentProvider": {
-            "value": "default"
+            "value": "mdeTvm"
         },
         "enableAscForOssDb": {
             "value": "DeployIfNotExists"
diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json
index c83eb04fc..895bd7204 100644
--- a/eslzArm/eslzArm.test.param.json
+++ b/eslzArm/eslzArm.test.param.json
@@ -35,27 +35,6 @@
         "retentionInDays": {
             "value": "30"
         },
-        "enableAgentHealth": {
-            "value": "Yes"
-        },
-        "enableChangeTracking": {
-            "value": "Yes"
-        },
-        "enableUpdateMgmt": {
-            "value": "Yes"
-        },
-        "enableVmInsights": {
-            "value": "Yes"
-        },
-        "enableSqlAssessment": {
-            "value": "Yes"
-        },
-        "enableSqlVulnerabilityAssessment": {
-            "value": "Yes"
-        },
-        "enableSqlAdvancedThreatProtection": {
-            "value": "Yes"
-        },
         "enableAsc": {
             "value": "Yes"
         },
@@ -110,9 +89,6 @@
         "enableMDEndpoints": {
             "value": "DeployIfNotExists"
         },
-        "enableSecuritySolution": {
-            "value": "Yes"
-        },
         "addressPrefix": {
             "value": "10.100.0.0/16"
         },
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
new file mode 100644
index 000000000..283cf25ac
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
@@ -0,0 +1,54 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a"
+        },
+        "policyAssignmentNames": {
+            "auditRGL": "Audit-ResourceRGLocation",
+            "description": "Resource Group and Resource locations should match.",
+            "displayName": "Resource Group and Resource locations should match"
+        },
+        "nonComplianceMessage": {
+            "message": "Resources {enforcementMode} be deployed in the same region as the Resource Group.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').auditRGL]",
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').auditRGL]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                }
+            }
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json
new file mode 100644
index 000000000..97bb4e064
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json
@@ -0,0 +1,78 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "effect": {
+            "type": "string",
+            "allowedValues": [
+                "Deny",
+                "Audit",
+                "Disabled"
+            ],
+            "defaultValue": "Audit"
+        },
+        "allow": {
+            "type": "string",
+            "allowedValues": [
+                "Both",
+                "Redundant",
+                "Aligned"
+            ],
+            "defaultValue": "Both"
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5"
+        },
+        "policyAssignmentNames": {
+            "auditZR": "Audit-ZoneResiliency",
+            "description": "Resources should be Zone Resilient.",
+            "displayName": "Resources should be Zone Resilient"
+        },
+        "nonComplianceMessage": {
+            "message": "Resources {enforcementMode} be Zone Resilient.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').auditZR]",
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').auditZR]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "effect": {
+                        "value": "[parameters('effect')]"
+                    },
+                    "allow": {
+                        "value": "[parameters('allow')]"
+                    }
+                }
+            }
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json
new file mode 100644
index 000000000..6c92082fc
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json
@@ -0,0 +1,192 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "maxLength": 10,
+            "metadata": {
+                "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
+            }
+        },
+        "dataCollectionRuleResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resourceId to the Data collection rule"
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "effect": {
+            "type": "string",
+            "metadata": {
+                "description": "Enable or disable the policy assignment"
+            },
+            "defaultValue": "DeployIfNotExists",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "listOfApplicableLocations": {
+            "type": "array",
+            "metadata": {
+                "displayName": "Applicable Locations",
+                "description": "The list of locations where the policy should be applied.",
+                "strongType": "location"
+            },
+            "allowedValues": [
+                "australiasoutheast",
+                "australiaeast",
+                "brazilsouth",
+                "canadacentral",
+                "centralindia",
+                "centralus",
+                "eastasia",
+                "eastus2euap",
+                "eastus",
+                "eastus2",
+                "francecentral",
+                "japaneast",
+                "koreacentral",
+                "northcentralus",
+                "northeurope",
+                "norwayeast",
+                "southcentralus",
+                "southeastasia",
+                "switzerlandnorth",
+                "uaenorth",
+                "uksouth",
+                "westcentralus",
+                "westeurope",
+                "westus",
+                "westus2"
+            ],
+            "defaultValue": [
+                "australiasoutheast",
+                "australiaeast",
+                "brazilsouth",
+                "canadacentral",
+                "centralindia",
+                "centralus",
+                "eastasia",
+                "eastus2euap",
+                "eastus",
+                "eastus2",
+                "francecentral",
+                "japaneast",
+                "koreacentral",
+                "northcentralus",
+                "northeurope",
+                "norwayeast",
+                "southcentralus",
+                "southeastasia",
+                "switzerlandnorth",
+                "uaenorth",
+                "uksouth",
+                "westcentralus",
+                "westeurope",
+                "westus",
+                "westus2"
+            ]
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmArcChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1"
+        },
+        "policyAssignmentNames": {
+            "vmArcChangeTracking": "Deploy-vmArc-ChangeTrack",
+            "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations.",
+            "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines"
+        },
+        "nonComplianceMessage": {
+            "message": "Change Tracking {enforcementMode} be enabled for Arc-enabled Virtual Machines.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "roleAssignmentNames": {
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-1',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-2',parameters('scope')))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmArcChangeTracking]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmArcChangeTracking]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "dcrResourceId": {
+                        "value": "[parameters('dataCollectionRuleResourceId')]"
+                    },
+                    "listOfApplicableLocations": {
+                        "value": "[parameters('listOfApplicableLocations')]"
+                    },
+                    "effect": {
+                        "value": "[parameters('effect')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmArcChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmArcChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json
new file mode 100644
index 000000000..175125c45
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json
@@ -0,0 +1,250 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "maxLength": 10,
+            "metadata": {
+                "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
+            }
+        },
+        "dataCollectionRuleResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resourceId to the Data collection rule"
+            }
+        },
+        "bringYourOwnUserAssignedManagedIdentity": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Provide your own user assigned managed identity to be used for the policy assignment"
+            }
+        },
+        "userAssignedManagedIdentityResourceGroup": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resource group name where the user assigned managed identity is located"
+            }
+        },
+        "userAssignedManagedIdentityName": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the name of the user assigned managed identity"
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "effect": {
+            "type": "string",
+            "metadata": {
+                "description": "Enable or disable the policy assignment"
+            },
+            "defaultValue": "DeployIfNotExists",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "listOfApplicableLocations": {
+            "type": "array",
+            "metadata": {
+                "displayName": "Applicable Locations",
+                "description": "The list of locations where the policy should be applied.",
+                "strongType": "location"
+            },
+            "allowedValues": [
+                "australiasoutheast",
+                "australiaeast",
+                "brazilsouth",
+                "canadacentral",
+                "centralindia",
+                "centralus",
+                "eastasia",
+                "eastus2euap",
+                "eastus",
+                "eastus2",
+                "francecentral",
+                "japaneast",
+                "koreacentral",
+                "northcentralus",
+                "northeurope",
+                "norwayeast",
+                "southcentralus",
+                "southeastasia",
+                "switzerlandnorth",
+                "uaenorth",
+                "uksouth",
+                "westcentralus",
+                "westeurope",
+                "westus",
+                "westus2"
+            ],
+            "defaultValue": [
+                "australiasoutheast",
+                "australiaeast",
+                "brazilsouth",
+                "canadacentral",
+                "centralindia",
+                "centralus",
+                "eastasia",
+                "eastus2euap",
+                "eastus",
+                "eastus2",
+                "francecentral",
+                "japaneast",
+                "koreacentral",
+                "northcentralus",
+                "northeurope",
+                "norwayeast",
+                "southcentralus",
+                "southeastasia",
+                "switzerlandnorth",
+                "uaenorth",
+                "uksouth",
+                "westcentralus",
+                "westeurope",
+                "westus",
+                "westus2"
+            ]
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354"
+        },
+        "policyAssignmentNames": {
+            "vmChangeTracking": "Deploy-VM-ChangeTrack",
+            "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.",
+            "displayName": "Enable ChangeTracking and Inventory for virtual machines"
+        },
+        "nonComplianceMessage": {
+            "message": "Change Tracking {enforcementMode} be enabled for Virtual Machines.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
+        "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
+        "roleAssignmentNames": {
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,parameters('scope')))]",
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-2',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-3',parameters('scope')))]",
+            "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-4',parameters('scope')))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmChangeTracking]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmChangeTracking]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "dcrResourceId": {
+                        "value": "[parameters('dataCollectionRuleResourceId')]"
+                    },
+                    "bringYourOwnUserAssignedManagedIdentity": {
+                        "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedManagedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[parameters('userAssignedManagedIdentityName')]"
+                    },
+                    "listOfApplicableLocations": {
+                        "value": "[parameters('listOfApplicableLocations')]"
+                    },
+                    "effect": {
+                        "value": "[parameters('effect')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json
new file mode 100644
index 000000000..6437d1d45
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json
@@ -0,0 +1,250 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "maxLength": 10,
+            "metadata": {
+                "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
+            }
+        },
+        "dataCollectionRuleResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resourceId to the Data collection rule"
+            }
+        },
+        "bringYourOwnUserAssignedManagedIdentity": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Provide your own user assigned managed identity to be used for the policy assignment"
+            }
+        },
+        "userAssignedManagedIdentityResourceGroup": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resource group name where the user assigned managed identity is located"
+            }
+        },
+        "userAssignedManagedIdentityName": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the name of the user assigned managed identity"
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "effect": {
+            "type": "string",
+            "metadata": {
+                "description": "Enable or disable the policy assignment"
+            },
+            "defaultValue": "DeployIfNotExists",
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ]
+        },
+        "listOfApplicableLocations": {
+            "type": "array",
+            "metadata": {
+                "displayName": "Applicable Locations",
+                "description": "The list of locations where the policy should be applied.",
+                "strongType": "location"
+            },
+            "allowedValues": [
+                "australiasoutheast",
+                "australiaeast",
+                "brazilsouth",
+                "canadacentral",
+                "centralindia",
+                "centralus",
+                "eastasia",
+                "eastus2euap",
+                "eastus",
+                "eastus2",
+                "francecentral",
+                "japaneast",
+                "koreacentral",
+                "northcentralus",
+                "northeurope",
+                "norwayeast",
+                "southcentralus",
+                "southeastasia",
+                "switzerlandnorth",
+                "uaenorth",
+                "uksouth",
+                "westcentralus",
+                "westeurope",
+                "westus",
+                "westus2"
+            ],
+            "defaultValue": [
+                "australiasoutheast",
+                "australiaeast",
+                "brazilsouth",
+                "canadacentral",
+                "centralindia",
+                "centralus",
+                "eastasia",
+                "eastus2euap",
+                "eastus",
+                "eastus2",
+                "francecentral",
+                "japaneast",
+                "koreacentral",
+                "northcentralus",
+                "northeurope",
+                "norwayeast",
+                "southcentralus",
+                "southeastasia",
+                "switzerlandnorth",
+                "uaenorth",
+                "uksouth",
+                "westcentralus",
+                "westeurope",
+                "westus",
+                "westus2"
+            ]
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmssChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc"
+        },
+        "policyAssignmentNames": {
+            "vmssChangeTracking": "Deploy-VMSS-ChangeTrack",
+            "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent.",
+            "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets"
+        },
+        "nonComplianceMessage": {
+            "message": "Change Tracking {enforcementMode} be enabled for Virtual Machines Scales Sets.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
+        "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
+        "roleAssignmentNames": {
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-1',parameters('scope')))]",
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-2',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-3',parameters('scope')))]",
+            "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-4',parameters('scope')))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmssChangeTracking]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmssChangeTracking]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "dcrResourceId": {
+                        "value": "[parameters('dataCollectionRuleResourceId')]"
+                    },
+                    "bringYourOwnUserAssignedManagedIdentity": {
+                        "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedManagedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[parameters('userAssignedManagedIdentityName')]"
+                    },
+                    "listOfApplicableLocations": {
+                        "value": "[parameters('listOfApplicableLocations')]"
+                    },
+                    "effect": {
+                        "value": "[parameters('effect')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmssChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmssChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmssChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmssChangeTracking]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json
index 0c1ed6632..cd05bc389 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json
@@ -54,7 +54,7 @@
                 "default",
                 "mdeTvm"
             ],
-            "defaultValue": "default"            
+            "defaultValue": "mdeTvm"            
         },
         "enableAscForSql": {
             "type": "string",
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json
new file mode 100644
index 000000000..20c0519ff
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json
@@ -0,0 +1,252 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "effect": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Effect",
+                "description": "Enable or disable the execution of the policy"
+            },
+            "allowedValues": [
+                "DeployIfNotExists",
+                "Disabled"
+            ],
+            "defaultValue": "DeployIfNotExists"
+        },
+        "workspaceRegion": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Workspace region",
+                "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.",
+                "strongType": "location"
+            }
+        },
+        "dcrName": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Data Collection Rule Name",
+                "description": "Name of the Data Collection Rule."
+            }
+        },
+        "dcrResourceGroup": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Data Collection Rule Resource Group",
+                "description": "Resource Group of the Data Collection Rule."
+            }
+        },
+        "dcrId": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Data Collection Rule Id",
+                "description": "Id of the Data Collection Rule."
+            }
+        },
+        "userWorkspaceResourceId": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Workspace Resource Id",
+                "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.",
+                "strongType": "omsWorkspace"
+            }
+        },
+        "enableCollectionOfSqlQueriesForSecurityResearch": {
+            "type": "Bool",
+            "metadata": {
+                "displayName": "Enable collection of SQL queries for security research",
+                "description": "Enable or disable the collection of SQL queries for security research."
+            },
+            "allowedValues": [
+                true,
+                false
+            ],
+            "defaultValue": false
+        },
+        "identityResourceGroup": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Identity Resource Group",
+                "description": "The name of the resource group created by the policy."
+            },
+            "defaultValue": ""
+        },
+        "userAssignedIdentityName": {
+            "type": "String",
+            "metadata": {
+                "displayName": "User Assigned Managed Identity Name",
+                "description": "The name of the user assigned managed identity."
+            },
+            "defaultValue": ""
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "deployazureDefenderSQL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA')]"
+        },
+        "policyAssignmentNames": {
+            "azureDefenderSQL": "Deploy-MDFC-DefenSQL-AMA",
+            "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
+            "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace"
+        },
+        "nonComplianceMessage": {
+            "message": "Microsoft Defender for SQL {enforcementMode} be deployed.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
+        "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
+        "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
+        "roleAssignmentNames": {
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,parameters('scope')))]",
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-2',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-3',parameters('scope')))]",
+            "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-4',parameters('scope')))]",
+            "roleAssignmentNameContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureDefenderSQL,'-5',parameters('scope')))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').azureDefenderSQL]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').deployazureDefenderSQL]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "effect": {
+                        "value": "[parameters('effect')]"
+                    },
+                    "workspaceRegion": {
+                        "value": "[parameters('workspaceRegion')]"
+                    },
+                    "dcrName": {
+                        "value": "[parameters('dcrName')]"
+                    },
+                    "dcrResourceGroup": {
+                        "value": "[parameters('dcrResourceGroup')]"
+                    },
+                    "dcrId": {
+                        "value": "[parameters('dcrId')]"
+                    },
+                    "userWorkspaceResourceId": {
+                        "value": "[parameters('userWorkspaceResourceId')]"
+                    },
+                    "enableCollectionOfSqlQueriesForSecurityResearch": {
+                        "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                    },
+                    "identityResourceGroup": {
+                        "value": "[parameters('identityResourceGroup')]"
+                    },
+                    "userAssignedIdentityName": {
+                        "value": "[parameters('userAssignedIdentityName')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').azureDefenderSQL]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').azureDefenderSQL]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').azureDefenderSQL]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').azureDefenderSQL]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+                {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').azureDefenderSQL]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureDefenderSQL), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-UserAssignedIdentityVMInsightsAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-UserAssignedIdentityVMInsightsAssignment.json
new file mode 100644
index 000000000..da5c16190
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-UserAssignedIdentityVMInsightsAssignment.json
@@ -0,0 +1,117 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "maxLength": 10,
+            "metadata": {
+                "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
+            }
+        },
+        "userAssignedManagedIdentityResourceGroup": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resource group name where the user assigned managed identity is located"
+            }
+        },
+        "userAssignedManagedIdentityName": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the name of the user assigned managed identity"
+            }
+        },
+        "location": {
+            "type": "string",
+            "defaultValue": "northeurope",
+            "metadata": {
+                "description": "Provide the location for the resources created as part of Enterprise-scale."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "DoNotEnforce"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmMonitoring": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights')]"
+        },
+        "policyAssignmentNames": {
+            "vmMonitoring": "Deploy-UAMI-VMInsights",
+            "description": "Deploy User Assigned Managed Identity for VM Insights",
+            "displayName": "Deploy User Assigned Managed Identity for VM Insights"
+        },
+        "nonComplianceMessage": {
+            "message": "User Assigned Identity {enforcementMode} be created for VM Insights.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
+        "roleAssignmentNames": {
+            "roleAssignmentNameContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmMonitoring]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "identityResourceGroup": {
+                        "value": "[parameters('userAssignedManagedIdentityResourceGroup')]"
+                    },
+                    "userAssignedIdentityName": {
+                        "value": "[parameters('userAssignedManagedIdentityName')]"
+                    },
+                    "builtInIdentityResourceGroupLocation": {
+                        "value": "[parameters('location')]"
+                    },
+                    "bringYourOwnUserAssignedManagedIdentity": {
+                        "value": true
+                    },
+                    "effect": {
+                        "value": "DeployIfNotExists"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
+     
\ No newline at end of file
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json
new file mode 100644
index 000000000..3aaef0f96
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json
@@ -0,0 +1,123 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "maxLength": 10,
+            "metadata": {
+                "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
+            }
+        },
+        "dataCollectionRuleResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resourceId to the Data collection rule"
+            }
+        },
+        "enableProcessesAndDependencies": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Enable processes and dependencies for the VMs"
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmHybridMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321"
+        },
+        "policyAssignmentNames": {
+            "vmHybridMonitoring": "Deploy-vmHybr-Monitoring",
+            "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group).",
+            "displayName": "Enable Azure Monitor for Hybrid Virtual Machines"
+        },
+        "nonComplianceMessage": {
+            "message": "Azure Monitor {enforcementMode} be enabled for Hybrid Virtual Machines.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "roleAssignmentNames": {
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-1',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-2',parameters('scope')))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmHybridMonitoring]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmHybridMonitoring]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "dcrResourceId": {
+                        "value": "[parameters('dataCollectionRuleResourceId')]"
+                    },
+                    "enableProcessesAndDependencies": {
+                        "value": "[parameters('enableProcessesAndDependencies')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmHybridMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmHybridMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json
index 7af404d34..30908563c 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json
@@ -9,10 +9,43 @@
                 "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
             }
         },
-        "logAnalyticsResourceId": {
+        "dataCollectionRuleResourceId": {
             "type": "string",
             "metadata": {
-                "description": "Provide the resourceId to the central Log Analytics workspace"
+                "description": "Provide the resourceId to the Data collection rule"
+            }
+        },
+        "bringYourOwnUserAssignedManagedIdentity": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Provide your own user assigned managed identity to be used for the policy assignment"
+            }
+        },
+        "userAssignedManagedIdentityResourceGroup": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resource group name where the user assigned managed identity is located"
+            }
+        },
+        "userAssignedManagedIdentityName": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the name of the user assigned managed identity"
+            }
+        },
+        "enableProcessesAndDependencies": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Enable processes and dependencies for the VMs"
+            }
+        },
+        "scopeToSupportedImages":{
+            "type": "bool",
+            "defaultValue": false,
+            "metadata": {
+                "description": "Scope the policy assignment to supported images"
             }
         },
         "enforcementMode": {
@@ -26,11 +59,18 @@
         "nonComplianceMessagePlaceholder": {
             "type": "string",
             "defaultValue": "{enforcementMode}"
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
         }
     },
     "variables": {
         "policyDefinitions": {
-            "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a"
+            "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6"
         },
         "policyAssignmentNames": {
             "vmMonitoring": "Deploy-VM-Monitoring",
@@ -42,9 +82,15 @@
             "Default": "must",
             "DoNotEnforce": "should"
         },
+        "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
         "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
         "roleAssignmentNames": {
-            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring))]"
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,parameters('scope')))]",
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-2',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-3',parameters('scope')))]",
+            "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-4',parameters('scope')))]"
         }
     },
     "resources": [
@@ -67,15 +113,30 @@
                     }
                 ],
                 "parameters": {
-                    "logAnalytics_1": {
-                        "value": "[parameters('logAnalyticsResourceId')]"
+                    "dcrResourceId": {
+                        "value": "[parameters('dataCollectionRuleResourceId')]"
+                    },
+                    "bringYourOwnUserAssignedManagedIdentity": {
+                        "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedManagedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[parameters('userAssignedManagedIdentityName')]"
+                    },
+                    "enableProcessesAndDependencies": {
+                        "value": "[parameters('enableProcessesAndDependencies')]"
+                    },
+                    "scopeToSupportedImages": {
+                        "value": "[parameters('scopeToSupportedImages')]"
                     }
                 }
             }
         },
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2019-04-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
             "dependsOn": [
                 "[variables('policyAssignmentNames').vmMonitoring]"
@@ -85,6 +146,45 @@
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
                 "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
             }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
         }
     ],
     "outputs": {}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json
index ce94231be..c234ce522 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json
@@ -9,10 +9,43 @@
                 "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale."
             }
         },
-        "logAnalyticsResourceId": {
+        "dataCollectionRuleResourceId": {
             "type": "string",
             "metadata": {
-                "description": "Provide the resourceId to the central Log Analytics workspace"
+                "description": "Provide the resourceId to the Data collection rule"
+            }
+        },
+        "bringYourOwnUserAssignedManagedIdentity": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Provide your own user assigned managed identity to be used for the policy assignment"
+            }
+        },
+        "userAssignedManagedIdentityResourceGroup": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the resource group name where the user assigned managed identity is located"
+            }
+        },
+        "userAssignedManagedIdentityName": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the name of the user assigned managed identity"
+            }
+        },
+        "enableProcessesAndDependencies": {
+            "type": "bool",
+            "defaultValue": true,
+            "metadata": {
+                "description": "Enable processes and dependencies for the VMs"
+            }
+        },
+        "scopeToSupportedImages":{
+            "type": "bool",
+            "defaultValue": false,
+            "metadata": {
+                "description": "Scope the policy assignment to supported images"
             }
         },
         "enforcementMode": {
@@ -26,11 +59,18 @@
         "nonComplianceMessagePlaceholder": {
             "type": "string",
             "defaultValue": "{enforcementMode}"
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
         }
     },
     "variables": {
         "policyDefinitions": {
-            "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad"
+            "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485"
         },
         "policyAssignmentNames": {
             "vmssMonitoring": "Deploy-VMSS-Monitoring",
@@ -44,9 +84,13 @@
         },
         "rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
         "rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+        "rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
         "roleAssignmentNames": {
-            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-1'))]",
-            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-2'))]"
+            "roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-1',parameters('scope')))]",
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-2',parameters('scope')))]",
+            "roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-3',parameters('scope')))]",
+            "roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-4',parameters('scope')))]"
         }
     },
     "resources": [
@@ -69,15 +113,30 @@
                     }
                 ],
                 "parameters": {
-                    "logAnalytics_1": {
-                        "value": "[parameters('logAnalyticsResourceId')]"
+                    "dcrResourceId": {
+                        "value": "[parameters('dataCollectionRuleResourceId')]"
+                    },
+                    "bringYourOwnUserAssignedManagedIdentity": {
+                        "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+                    },
+                    "userAssignedManagedIdentityResourceGroup": {
+                        "value": "[parameters('userAssignedManagedIdentityResourceGroup')]"
+                    },
+                    "userAssignedManagedIdentityName": {
+                        "value": "[parameters('userAssignedManagedIdentityName')]"
+                    },
+                    "enableProcessesAndDependencies": {
+                        "value": "[parameters('enableProcessesAndDependencies')]"
+                    },
+                    "scopeToSupportedImages": {
+                        "value": "[parameters('scopeToSupportedImages')]"
                     }
                 }
             }
         },
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2019-04-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[variables('roleAssignmentNames').roleAssignmentNameLogAnalyticsContributor]",
             "dependsOn": [
                 "[variables('policyAssignmentNames').vmssMonitoring]"
@@ -90,7 +149,7 @@
         },
         {
             "type": "Microsoft.Authorization/roleAssignments",
-            "apiVersion": "2019-04-01-preview",
+            "apiVersion": "2022-04-01",
             "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
             "dependsOn": [
                 "[variables('policyAssignmentNames').vmssMonitoring]"
@@ -100,6 +159,32 @@
                 "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]",
                 "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
             }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameMonitoringContributor]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmssMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]",
+            "dependsOn": [
+                "[variables('policyAssignmentNames').vmssMonitoring]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
         }
     ],
     "outputs": {}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json
new file mode 100644
index 000000000..e13cfe785
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-CheckUpdatesPolicyAssignment.json
@@ -0,0 +1,156 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "assessmentMode": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Assessment mode",
+                "description": "Assessment mode for the machines."
+            },
+            "allowedValues": [
+                "ImageDefault",
+                "AutomaticByPlatform"
+            ],
+            "defaultValue": "AutomaticByPlatform"
+        },
+        "locations": {
+            "type": "Array",
+            "metadata": {
+                "displayName": "Machines locations",
+                "description": "The list of locations from which machines need to be targeted.",
+                "strongType": "location"
+            },
+            "defaultValue": []
+        },
+        "tagValues": {
+            "type": "Object",
+            "metadata": {
+                "displayName": "Tags on machines",
+                "description": "The list of tags that need to matched for getting target machines."
+            },
+            "defaultValue": {}
+        },
+        "tagOperator": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Tag operator",
+                "description": "Matching condition for resource tags"
+            },
+            "allowedValues": [
+                "All",
+                "Any"
+            ],
+            "defaultValue": "Any"
+        },
+        "scope": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Scope",
+                "description": "Scope of the policy assignment"
+            }
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmCheckUpdates": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/PolicySetDefinitions/Deploy-AUM-CheckUpdates')]"
+        },
+        "policyAssignmentNames": {
+            "vmCheckUpdates": "Enable-AUM-CheckUpdates",
+            "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
+            "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines."
+        },
+        "nonComplianceMessage": {
+            "message": "Periodic checking of missing updates {enforcementMode} be enabled.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacVmContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
+        "rbacConnectedMachineResourceAdministrator": "cd570a14-e51a-42ad-bac8-bafd67325302",
+        "roleAssignmentNames": {
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-1',parameters('scope')))]",
+            "roleAssignmentNameConnectedMachineResourceAdministrator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-2',parameters('scope')))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmCheckUpdates]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmCheckUpdates]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[parameters('assessmentMode')]"
+                    },
+                    "locations": {
+                        "value": "[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[parameters('tagOperator')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVmContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        },
+                {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameConnectedMachineResourceAdministrator]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacConnectedMachineResourceAdministrator'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMCheckUpdatesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMCheckUpdatesPolicyAssignment.json
new file mode 100644
index 000000000..57b616a60
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMCheckUpdatesPolicyAssignment.json
@@ -0,0 +1,148 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "assessmentMode": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Assessment mode",
+                "description": "Assessment mode for the machines."
+            },
+            "allowedValues": [
+                "ImageDefault",
+                "AutomaticByPlatform"
+            ],
+            "defaultValue": "AutomaticByPlatform"
+        },
+        "osType": {
+            "type": "String",
+            "metadata": {
+                "displayName": "OS type",
+                "description": "OS type for the machines."
+            },
+            "allowedValues": [
+                "Windows",
+                "Linux"
+            ]
+        },
+        "locations": {
+            "type": "Array",
+            "metadata": {
+                "displayName": "Machines locations",
+                "description": "The list of locations from which machines need to be targeted.",
+                "strongType": "location"
+            },
+            "defaultValue": []
+        },
+        "tagValues": {
+            "type": "Object",
+            "metadata": {
+                "displayName": "Tags on machines",
+                "description": "The list of tags that need to matched for getting target machines."
+            },
+            "defaultValue": {}
+        },
+        "tagOperator": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Tag operator",
+                "description": "Matching condition for resource tags"
+            },
+            "allowedValues": [
+                "All",
+                "Any"
+            ],
+            "defaultValue": "Any"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmCheckUpdates": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15"
+        },
+        "policyAssignmentNames": {
+            "vmCheckUpdates": "[concat('Enable-AUM-VM-', parameters('osType'))]",
+            "description": "Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
+            "displayName": "[concat('Configure periodic checking for missing system updates on azure virtual machines - ', parameters('osType'))]"
+        },
+        "nonComplianceMessage": {
+            "message": "Periodic checking of missing updates {enforcementMode} be enabled.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacNetworkContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
+        "roleAssignmentNames": {
+            "roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmCheckUpdates]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmCheckUpdates]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[parameters('assessmentMode')]"
+                    },
+                    "osType": {
+                        "value": "[parameters('osType')]"
+                    },
+                    "locations": {
+                        "value": "[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[parameters('tagOperator')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameVmContributor]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacNetworkContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMHybridCheckUpdatesPolicyAssignment.json.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMHybridCheckUpdatesPolicyAssignment.json.json
new file mode 100644
index 000000000..bd680e501
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-AUM-VMHybridCheckUpdatesPolicyAssignment.json.json
@@ -0,0 +1,148 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        },
+        "assessmentMode": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Assessment mode",
+                "description": "Assessment mode for the machines."
+            },
+            "allowedValues": [
+                "ImageDefault",
+                "AutomaticByPlatform"
+            ],
+            "defaultValue": "AutomaticByPlatform"
+        },
+        "osType": {
+            "type": "String",
+            "metadata": {
+                "displayName": "OS type",
+                "description": "OS type for the machines."
+            },
+            "allowedValues": [
+                "Windows",
+                "Linux"
+            ]
+        },
+        "locations": {
+            "type": "Array",
+            "metadata": {
+                "displayName": "Machines locations",
+                "description": "The list of locations from which machines need to be targeted.",
+                "strongType": "location"
+            },
+            "defaultValue": []
+        },
+        "tagValues": {
+            "type": "Object",
+            "metadata": {
+                "displayName": "Tags on machines",
+                "description": "The list of tags that need to matched for getting target machines."
+            },
+            "defaultValue": {}
+        },
+        "tagOperator": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Tag operator",
+                "description": "Matching condition for resource tags"
+            },
+            "allowedValues": [
+                "All",
+                "Any"
+            ],
+            "defaultValue": "Any"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "vmCheckUpdates": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46"
+        },
+        "policyAssignmentNames": {
+            "vmCheckUpdates": "[concat('Enable-AUM-VMHyb-', parameters('osType'))]",
+            "description": "	Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
+            "displayName": "[concat('Configure periodic checking for missing system updates on azure Arc-enabled servers - ', parameters('osType'))]"
+        },
+        "nonComplianceMessage": {
+            "message": "Periodic checking of missing updates {enforcementMode} be enabled.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        },
+        "rbacNetworkContributor": "cd570a14-e51a-42ad-bac8-bafd67325302",
+        "roleAssignmentNames": {
+            "roleAssignmentNameAzureConnectedMachineResourceAdministrator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates))]"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').vmCheckUpdates]",
+            "location": "[deployment().location]",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').vmCheckUpdates]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[parameters('assessmentMode')]"
+                    },
+                    "osType": {
+                        "value": "[parameters('osType')]"
+                    },
+                    "locations": {
+                        "value": "[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[parameters('tagOperator')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentNames').roleAssignmentNameAzureConnectedMachineResourceAdministrator]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]"
+            ],
+            "properties": {
+                "principalType": "ServicePrincipal",
+                "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacNetworkContributor'))]",
+                "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
+            }
+        }
+    ],
+    "outputs": {}
+}
diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
index 310909fb9..eca2aa1a2 100644
--- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
+++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.24.24.22086",
-      "templateHash": "16254215850160470748"
+      "templateHash": "7911602055513483290"
     }
   },
   "parameters": {
@@ -131,64 +131,72 @@
     "$fxv#109": "{\n    \"name\": \"DenyAction-DiagnosticLogs\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n        \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n        \"metadata\": {\n            \"deprecated\": false,\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n            },\n            \"then\": {\n                \"effect\": \"denyAction\",\n                \"details\": {\n                    \"actionNames\": [\n                        \"delete\"\n                    ]\n                }\n            }\n        }\n    }\n}",
     "$fxv#11": "{\n  \"name\": \"Deny-AppServiceFunctionApp-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Function App should only be accessible over HTTPS\",\n    \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"App Service\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Web/sites\"\n          },\n          {\n            \"field\": \"kind\",\n            \"like\": \"functionapp*\"\n          },\n          {\n            \"field\": \"Microsoft.Web/sites/httpsOnly\",\n            \"equals\": \"false\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#110": "{\n    \"name\": \"DenyAction-ActivityLogs\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"displayName\": \"DenyAction implementation on Activity Logs\",\n        \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n        \"metadata\": {\n            \"deprecated\": false,            \n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n            },\n            \"then\": {\n                \"effect\": \"denyAction\",\n                \"details\": {\n                    \"actionNames\": [\n                        \"delete\"\n                    ]\n                }\n            }\n        }\n    }\n}",
-    "$fxv#111": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#112": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#113": "{\n  \"name\": \"Deny-Databricks-NoPublicIp\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public IPs for Databricks cluster\",\n    \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n            \"notEquals\": true\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#114": "{\n  \"name\": \"Deny-Databricks-Sku\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny non-premium Databricks sku\",\n    \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n            \"notEquals\": \"premium\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
-    "$fxv#115": "{\n  \"name\": \"Deny-Databricks-VirtualNetwork\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n    \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n                \"exists\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#116": "{\n  \"name\": \"Deny-MachineLearning-Aks\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n    \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AKS\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#117": "{\n  \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#118": "{\n  \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"allowedVmSizes\": {\n        \"type\": \"Array\",\n        \"metadata\": {\n          \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n          \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n        },\n        \"defaultValue\": [\n          \"Standard_D1_v2\",\n          \"Standard_D2_v2\",\n          \"Standard_D3_v2\",\n          \"Standard_D4_v2\",\n          \"Standard_D11_v2\",\n          \"Standard_D12_v2\",\n          \"Standard_D13_v2\",\n          \"Standard_D14_v2\",\n          \"Standard_DS1_v2\",\n          \"Standard_DS2_v2\",\n          \"Standard_DS3_v2\",\n          \"Standard_DS4_v2\",\n          \"Standard_DS5_v2\",\n          \"Standard_DS11_v2\",\n          \"Standard_DS12_v2\",\n          \"Standard_DS13_v2\",\n          \"Standard_DS14_v2\",\n          \"Standard_M8-2ms\",\n          \"Standard_M8-4ms\",\n          \"Standard_M8ms\",\n          \"Standard_M16-4ms\",\n          \"Standard_M16-8ms\",\n          \"Standard_M16ms\",\n          \"Standard_M32-8ms\",\n          \"Standard_M32-16ms\",\n          \"Standard_M32ls\",\n          \"Standard_M32ms\",\n          \"Standard_M32ts\",\n          \"Standard_M64-16ms\",\n          \"Standard_M64-32ms\",\n          \"Standard_M64ls\",\n          \"Standard_M64ms\",\n          \"Standard_M64s\",\n          \"Standard_M128-32ms\",\n          \"Standard_M128-64ms\",\n          \"Standard_M128ms\",\n          \"Standard_M128s\",\n          \"Standard_M64\",\n          \"Standard_M64m\",\n          \"Standard_M128\",\n          \"Standard_M128m\",\n          \"Standard_D1\",\n          \"Standard_D2\",\n          \"Standard_D3\",\n          \"Standard_D4\",\n          \"Standard_D11\",\n          \"Standard_D12\",\n          \"Standard_D13\",\n          \"Standard_D14\",\n          \"Standard_DS15_v2\",\n          \"Standard_NV6\",\n          \"Standard_NV12\",\n          \"Standard_NV24\",\n          \"Standard_F2s_v2\",\n          \"Standard_F4s_v2\",\n          \"Standard_F8s_v2\",\n          \"Standard_F16s_v2\",\n          \"Standard_F32s_v2\",\n          \"Standard_F64s_v2\",\n          \"Standard_F72s_v2\",\n          \"Standard_NC6s_v3\",\n          \"Standard_NC12s_v3\",\n          \"Standard_NC24rs_v3\",\n          \"Standard_NC24s_v3\",\n          \"Standard_NC6\",\n          \"Standard_NC12\",\n          \"Standard_NC24\",\n          \"Standard_NC24r\",\n          \"Standard_ND6s\",\n          \"Standard_ND12s\",\n          \"Standard_ND24rs\",\n          \"Standard_ND24s\",\n          \"Standard_NC6s_v2\",\n          \"Standard_NC12s_v2\",\n          \"Standard_NC24rs_v2\",\n          \"Standard_NC24s_v2\",\n          \"Standard_ND40rs_v2\",\n          \"Standard_NV12s_v3\",\n          \"Standard_NV24s_v3\",\n          \"Standard_NV48s_v3\"\n        ]\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n            \"notIn\": \"[[parameters('allowedVmSizes')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#119": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n    \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"notEquals\": \"Disabled\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#111": "{\n    \"name\": \"Deploy-UserAssignedManagedIdentity-VMInsights\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"displayName\": \"Deploy User Assigned Managed Identity for VM Insights\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"Create and assign a User Assigned Managed Identity to Virtual Machines for VM Insights\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Managed Identity\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n              \"AzureCloud\",\n              \"AzureChinaCloud\",\n              \"AzureUSGovernment\"\n            ]\n          },\n        \"parameters\": {\n            \"bringYourOwnUserAssignedManagedIdentity\": {\n                \"type\": \"Boolean\",\n                \"metadata\": {\n                    \"displayName\": \"Bring Your Own User-Assigned Identity\",\n                    \"description\": \"Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'.\"\n                },\n                \"allowedValues\": [\n                    true,\n                    false\n                ]\n            },\n            \"userAssignedIdentityName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"User-Assigned Managed Identity Name\",\n                    \"description\": \"The name of the pre-created user-assigned managed identity.\"\n                },\n                \"defaultValue\": \"\"\n            },\n            \"identityResourceGroup\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"User-Assigned Managed Identity Resource Group Name\",\n                    \"description\": \"The resource group in which the pre-created user-assigned managed identity resides.\"\n                },\n                \"defaultValue\": \"\"\n            },\n            \"builtInIdentityResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Built-In-Identity-RG Location\",\n                    \"description\": \"The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false.\"\n                },\n                \"defaultValue\": \"eastus\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Policy Effect\",\n                    \"description\": \"The effect determines what happens when the policy rule is evaluated to match.\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\"\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"allOf\": [\n                    {\n                        \"field\": \"type\",\n                        \"equals\": \"Microsoft.Compute/virtualMachines\"\n                    },\n                    {\n                        \"value\": \"[[requestContext().apiVersion]\",\n                        \"greaterOrEquals\": \"2018-10-01\"\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\",\n                \"details\": {\n                    \"type\": \"Microsoft.Compute/virtualMachines\",\n                    \"name\": \"[[field('name')]\",\n                    \"evaluationDelay\": \"AfterProvisioning\",\n                    \"deploymentScope\": \"subscription\",\n                    \"existenceCondition\": {\n                        \"anyOf\": [\n                            {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"identity.type\",\n                                        \"contains\": \"UserAssigned\"\n                                    },\n                                    {\n                                        \"field\": \"identity.userAssignedIdentities\",\n                                        \"containsKey\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]\"\n                                    }\n                                ]\n                            },\n                            {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"identity.type\",\n                                        \"equals\": \"UserAssigned\"\n                                    },\n                                    {\n                                        \"value\": \"[[string(length(field('identity.userAssignedIdentities')))]\",\n                                        \"equals\": \"1\"\n                                    }\n                                ]\n                            }\n                        ]\n                    },\n                    \"roleDefinitionIds\": [\n                        \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n                    ],\n                    \"deployment\": {\n                        \"location\": \"eastus\",\n                        \"properties\": {\n                            \"mode\": \"incremental\",\n                            \"parameters\": {\n                                \"bringYourOwnUserAssignedManagedIdentity\": {\n                                    \"value\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\"\n                                },\n                                \"location\": {\n                                    \"value\": \"[[field('location')]\"\n                                },\n                                \"uaName\": {\n                                    \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]\"\n                                },\n                                \"identityResourceGroup\": {\n                                    \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]\"\n                                },\n                                \"builtInIdentityResourceGroupLocation\": {\n                                    \"value\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n                                },\n                                \"vmName\": {\n                                    \"value\": \"[[field('name')]\"\n                                },\n                                \"vmResourceGroup\": {\n                                    \"value\": \"[[resourceGroup().name]\"\n                                },\n                                \"resourceId\": {\n                                    \"value\": \"[[field('id')]\"\n                                }\n                            },\n                            \"template\": {\n                                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                                \"contentVersion\": \"1.0.0.1\",\n                                \"parameters\": {\n                                    \"bringYourOwnUserAssignedManagedIdentity\": {\n                                        \"type\": \"bool\"\n                                    },\n                                    \"location\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"uaName\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"identityResourceGroup\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"builtInIdentityResourceGroupLocation\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"vmName\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"vmResourceGroup\": {\n                                        \"type\": \"string\"\n                                    },\n                                    \"resourceId\": {\n                                        \"type\": \"string\"\n                                    }\n                                },\n                                \"variables\": {\n                                    \"uaNameWithLocation\": \"[[concat(parameters('uaName'),'-', parameters('location'))]\",\n                                    \"precreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]\",\n                                    \"autocreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]\",\n                                    \"deployUALockName\": \"[[concat('deployUALock-', uniqueString(deployment().name))]\",\n                                    \"deployUAName\": \"[[concat('deployUA-', uniqueString(deployment().name))]\",\n                                    \"deployGetResourceProperties\": \"[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]\",\n                                    \"deployAssignUAName\": \"[[concat('deployAssignUA-', uniqueString(deployment().name))]\"\n                                },\n                                \"resources\": [\n                                    {\n                                        \"type\": \"Microsoft.Resources/resourceGroups\",\n                                        \"apiVersion\": \"2020-06-01\",\n                                        \"name\": \"[[parameters('identityResourceGroup')]\",\n                                        \"location\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n                                    },\n                                    {\n                                        \"condition\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\",\n                                        \"type\": \"Microsoft.Resources/deployments\",\n                                        \"apiVersion\": \"2020-06-01\",\n                                        \"name\": \"[[variables('deployUALockName')]\",\n                                        \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n                                        \"dependsOn\": [\n                                            \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n                                        ],\n                                        \"properties\": {\n                                            \"mode\": \"Incremental\",\n                                            \"expressionEvaluationOptions\": {\n                                                \"scope\": \"inner\"\n                                            },\n                                            \"parameters\": {\n                                                \"uaName\": {\n                                                    \"value\": \"[[parameters('uaName')]\"\n                                                },\n                                                \"location\": {\n                                                    \"value\": \"[[parameters('location')]\"\n                                                }\n                                            },\n                                            \"template\": {\n                                                \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                                                \"contentVersion\": \"1.0.0.0\",\n                                                \"parameters\": {\n                                                    \"uaName\": {\n                                                        \"type\": \"string\"\n                                                    },\n                                                    \"location\": {\n                                                        \"type\": \"string\"\n                                                    }\n                                                },\n                                                \"variables\": {},\n                                                \"resources\": [\n                                                    {\n                                                        \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n                                                        \"name\": \"[[parameters('uaName')]\",\n                                                        \"apiVersion\": \"2018-11-30\",\n                                                        \"location\": \"[[parameters('location')]\"\n                                                    }\n                                                ]\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"condition\": \"[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]\",\n                                        \"type\": \"Microsoft.Resources/deployments\",\n                                        \"apiVersion\": \"2020-06-01\",\n                                        \"name\": \"[[variables('deployUAName')]\",\n                                        \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n                                        \"dependsOn\": [\n                                            \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n                                        ],\n                                        \"properties\": {\n                                            \"mode\": \"Incremental\",\n                                            \"expressionEvaluationOptions\": {\n                                                \"scope\": \"inner\"\n                                            },\n                                            \"parameters\": {\n                                                \"uaName\": {\n                                                    \"value\": \"[[variables('uaNameWithLocation')]\"\n                                                },\n                                                \"location\": {\n                                                    \"value\": \"[[parameters('location')]\"\n                                                }\n                                            },\n                                            \"template\": {\n                                                \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                                                \"contentVersion\": \"1.0.0.0\",\n                                                \"parameters\": {\n                                                    \"uaName\": {\n                                                        \"type\": \"string\"\n                                                    },\n                                                    \"location\": {\n                                                        \"type\": \"string\"\n                                                    }\n                                                },\n                                                \"variables\": {},\n                                                \"resources\": [\n                                                    {\n                                                        \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n                                                        \"name\": \"[[parameters('uaName')]\",\n                                                        \"apiVersion\": \"2018-11-30\",\n                                                        \"location\": \"[[parameters('location')]\"\n                                                    },\n                                                    {\n                                                        \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks\",\n                                                        \"apiVersion\": \"2016-09-01\",\n                                                        \"name\": \"[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]\",\n                                                        \"dependsOn\": [\n                                                            \"[[parameters('uaName')]\"\n                                                        ],\n                                                        \"properties\": {\n                                                            \"level\": \"CanNotDelete\",\n                                                            \"notes\": \"Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence.\"\n                                                        }\n                                                    }\n                                                ]\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"type\": \"Microsoft.Resources/deployments\",\n                                        \"apiVersion\": \"2020-06-01\",\n                                        \"name\": \"[[variables('deployGetResourceProperties')]\",\n                                        \"location\": \"[[parameters('location')]\",\n                                        \"dependsOn\": [\n                                            \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n                                            \"[[variables('deployUAName')]\"\n                                        ],\n                                        \"properties\": {\n                                            \"mode\": \"Incremental\",\n                                            \"template\": {\n                                                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                                                \"contentVersion\": \"1.0.0.0\",\n                                                \"resources\": [],\n                                                \"outputs\": {\n                                                    \"resource\": {\n                                                        \"type\": \"object\",\n                                                        \"value\": \"[[reference(parameters('resourceId'), '2019-07-01', 'Full')]\"\n                                                    }\n                                                }\n                                            }\n                                        }\n                                    },\n                                    {\n                                        \"type\": \"Microsoft.Resources/deployments\",\n                                        \"apiVersion\": \"2020-06-01\",\n                                        \"name\": \"[[concat(variables('deployAssignUAName'))]\",\n                                        \"resourceGroup\": \"[[parameters('vmResourceGroup')]\",\n                                        \"dependsOn\": [\n                                            \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n                                            \"[[variables('deployUAName')]\",\n                                            \"[[variables('deployGetResourceProperties')]\"\n                                        ],\n                                        \"properties\": {\n                                            \"mode\": \"Incremental\",\n                                            \"expressionEvaluationOptions\": {\n                                                \"scope\": \"inner\"\n                                            },\n                                            \"parameters\": {\n                                                \"uaId\": {\n                                                    \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]\"\n                                                },\n                                                \"vmName\": {\n                                                    \"value\": \"[[parameters('vmName')]\"\n                                                },\n                                                \"location\": {\n                                                    \"value\": \"[[parameters('location')]\"\n                                                },\n                                                \"identityType\": {\n                                                    \"value\": \"[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]\"\n                                                },\n                                                \"userAssignedIdentities\": {\n                                                    \"value\": \"[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]\"\n                                                }\n                                            },\n                                            \"template\": {\n                                                \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                                                \"contentVersion\": \"1.0.0.0\",\n                                                \"parameters\": {\n                                                    \"uaId\": {\n                                                        \"type\": \"string\"\n                                                    },\n                                                    \"vmName\": {\n                                                        \"type\": \"string\"\n                                                    },\n                                                    \"location\": {\n                                                        \"type\": \"string\"\n                                                    },\n                                                    \"identityType\": {\n                                                        \"type\": \"string\"\n                                                    },\n                                                    \"userAssignedIdentities\": {\n                                                        \"type\": \"object\"\n                                                    }\n                                                },\n                                                \"variables\": {\n                                                    \"identityTypeValue\": \"[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]\",\n                                                    \"userAssignedIdentitiesValue\": \"[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]\",\n                                                    \"resourceWithSingleUAI\": \"[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]\"\n                                                },\n                                                \"resources\": [\n                                                    {\n                                                        \"condition\": \"[[not(variables('resourceWithSingleUAI'))]\",\n                                                        \"apiVersion\": \"2019-07-01\",\n                                                        \"type\": \"Microsoft.Compute/virtualMachines\",\n                                                        \"name\": \"[[parameters('vmName')]\",\n                                                        \"location\": \"[[parameters('location')]\",\n                                                        \"identity\": {\n                                                            \"type\": \"[[variables('identityTypeValue')]\",\n                                                            \"userAssignedIdentities\": \"[[variables('userAssignedIdentitiesValue')]\"\n                                                        }\n                                                    }\n                                                ]\n                                            }\n                                        }\n                                    }\n                                ]\n                            }\n                        }\n                    }\n                }\n            }\n        }\n    }\n}\n",
+    "$fxv#112": "{\n  \"name\": \"Deploy-MDFC-Arc-SQL-DCR-Association\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR\",\n    \"description\": \"Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"workspaceRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace region\",\n          \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"dcrName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Name\",\n          \"description\": \"Name of the Data Collection Rule.\"\n        }\n      },\n      \"dcrResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Resource Group\",\n          \"description\": \"Resource Group of the Data Collection Rule.\"\n        }\n      },\n      \"dcrId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Id\",\n          \"description\": \"Id of the Data Collection Rule.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.HybridCompute/machines\"\n          },\n          {\n            \"field\": \"Microsoft.HybridCompute/machines/osName\",\n            \"equals\": \"Windows\"\n          },\n          {\n            \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n            \"equals\": \"true\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/dataCollectionRuleAssociations\",\n          \"name\": \"MicrosoftDefenderForSQL-RulesAssociation\",\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"vmName\": {\n                    \"type\": \"string\"\n                  },\n                  \"workspaceRegion\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrResourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrId\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {\n                  \"locationLongNameToShortMap\": {\n                    \"australiacentral\": \"CAU\",\n                    \"australiaeast\": \"EAU\",\n                    \"australiasoutheast\": \"SEAU\",\n                    \"brazilsouth\": \"CQ\",\n                    \"canadacentral\": \"CCA\",\n                    \"canadaeast\": \"CCA\",\n                    \"centralindia\": \"CIN\",\n                    \"centralus\": \"CUS\",\n                    \"eastasia\": \"EA\",\n                    \"eastus2euap\": \"eus2p\",\n                    \"eastus\": \"EUS\",\n                    \"eastus2\": \"EUS2\",\n                    \"francecentral\": \"PAR\",\n                    \"germanywestcentral\": \"DEWC\",\n                    \"japaneast\": \"EJP\",\n                    \"jioindiawest\": \"CIN\",\n                    \"koreacentral\": \"SE\",\n                    \"koreasouth\": \"SE\",\n                    \"northcentralus\": \"NCUS\",\n                    \"northeurope\": \"NEU\",\n                    \"norwayeast\": \"NOE\",\n                    \"southafricanorth\": \"JNB\",\n                    \"southcentralus\": \"SCUS\",\n                    \"southeastasia\": \"SEA\",\n                    \"southindia\": \"CIN\",\n                    \"swedencentral\": \"SEC\",\n                    \"switzerlandnorth\": \"CHN\",\n                    \"switzerlandwest\": \"CHW\",\n                    \"uaenorth\": \"DXB\",\n                    \"uksouth\": \"SUK\",\n                    \"ukwest\": \"WUK\",\n                    \"westcentralus\": \"WCUS\",\n                    \"westeurope\": \"WEU\",\n                    \"westindia\": \"CIN\",\n                    \"westus\": \"WUS\",\n                    \"westus2\": \"WUS2\"\n                  },\n                  \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n                  \"subscriptionId\": \"[[subscription().subscriptionId]\",\n                  \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n                  \"dcrName\": \"[[parameters('dcrName')]\",\n                  \"dcrId\": \"[[parameters('dcrId')]\",\n                  \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n                    \"name\": \"[[variables('dcraName')]\",\n                    \"apiVersion\": \"2021-04-01\",\n                    \"properties\": {\n                      \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n                      \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"resourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"vmName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"workspaceRegion\": {\n                  \"value\": \"[[parameters('workspaceRegion')]\"\n                },\n                \"dcrName\": {\n                  \"value\": \"[[parameters('dcrName')]\"\n                },\n                \"dcrResourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"dcrId\": {\n                  \"value\": \"[[parameters('dcrId')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
+    "$fxv#113": "{\n  \"name\": \"Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace\",\n    \"description\": \"Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"userWorkspaceResourceId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace Resource Id\",\n          \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"workspaceRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace region\",\n          \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n        \"type\": \"Boolean\",\n        \"metadata\": {\n          \"displayName\": \"Enable collection of SQL queries for security research\",\n          \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n        },\n        \"allowedValues\": [\n          true,\n          false\n        ],\n        \"defaultValue\": false\n      },\n      \"dcrName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Name\",\n          \"description\": \"Name of the Data Collection Rule.\"\n        }\n      },\n      \"dcrResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Resource Group\",\n          \"description\": \"Resource Group of the Data Collection Rule.\"\n        }\n      },\n      \"dcrId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Id\",\n          \"description\": \"Id of the Data Collection Rule.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.HybridCompute/machines\"\n          },\n          {\n            \"field\": \"Microsoft.HybridCompute/machines/osName\",\n            \"equals\": \"Windows\"\n          },\n          {\n            \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n            \"equals\": \"true\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/dataCollectionRules\",\n          \"deploymentScope\": \"subscription\",\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"location\",\n                \"equals\": \"[[parameters('workspaceRegion')]\"\n              },\n              {\n                \"field\": \"name\",\n                \"equals\": \"[[parameters('dcrName')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"eastus\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"vmName\": {\n                    \"type\": \"string\"\n                  },\n                  \"userWorkspaceResourceId\": {\n                    \"type\": \"string\"\n                  },\n                  \"workspaceRegion\": {\n                    \"type\": \"string\"\n                  },\n                  \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                    \"type\": \"bool\"\n                  },\n                  \"dcrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrResourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrId\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {\n                  \"locationLongNameToShortMap\": {\n                    \"australiacentral\": \"CAU\",\n                    \"australiaeast\": \"EAU\",\n                    \"australiasoutheast\": \"SEAU\",\n                    \"brazilsouth\": \"CQ\",\n                    \"canadacentral\": \"CCA\",\n                    \"canadaeast\": \"CCA\",\n                    \"centralindia\": \"CIN\",\n                    \"centralus\": \"CUS\",\n                    \"eastasia\": \"EA\",\n                    \"eastus2euap\": \"eus2p\",\n                    \"eastus\": \"EUS\",\n                    \"eastus2\": \"EUS2\",\n                    \"francecentral\": \"PAR\",\n                    \"germanywestcentral\": \"DEWC\",\n                    \"japaneast\": \"EJP\",\n                    \"jioindiawest\": \"CIN\",\n                    \"koreacentral\": \"SE\",\n                    \"koreasouth\": \"SE\",\n                    \"northcentralus\": \"NCUS\",\n                    \"northeurope\": \"NEU\",\n                    \"norwayeast\": \"NOE\",\n                    \"southafricanorth\": \"JNB\",\n                    \"southcentralus\": \"SCUS\",\n                    \"southeastasia\": \"SEA\",\n                    \"southindia\": \"CIN\",\n                    \"swedencentral\": \"SEC\",\n                    \"switzerlandnorth\": \"CHN\",\n                    \"switzerlandwest\": \"CHW\",\n                    \"uaenorth\": \"DXB\",\n                    \"uksouth\": \"SUK\",\n                    \"ukwest\": \"WUK\",\n                    \"westcentralus\": \"WCUS\",\n                    \"westeurope\": \"WEU\",\n                    \"westindia\": \"CIN\",\n                    \"westus\": \"WUS\",\n                    \"westus2\": \"WUS2\"\n                  },\n                  \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n                  \"subscriptionId\": \"[[subscription().subscriptionId]\",\n                  \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n                  \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n                  \"dcrName\": \"[[parameters('dcrName')]\",\n                  \"dcrId\": \"[[parameters('dcrId')]\",\n                  \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n                  \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n                  \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\"\n                },\n                \"resources\": [\n                  {\n                    \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n                    \"type\": \"Microsoft.Resources/resourceGroups\",\n                    \"name\": \"[[variables('defaultRGName')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"location\": \"[[variables('defaultRGLocation')]\",\n                    \"tags\": {\n                      \"createdBy\": \"MicrosoftDefenderForSQL\"\n                    }\n                  },\n                  {\n                    \"condition\": \"[[empty(parameters('dcrId'))]\",\n                    \"type\": \"Microsoft.Resources/deployments\",\n                    \"name\": \"[[variables('deployDataCollectionRules')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"resourceGroup\": \"[[variables('defaultRGName')]\",\n                    \"dependsOn\": [\n                      \"[[variables('defaultRGName')]\"\n                    ],\n                    \"properties\": {\n                      \"mode\": \"Incremental\",\n                      \"expressionEvaluationOptions\": {\n                        \"scope\": \"inner\"\n                      },\n                      \"parameters\": {\n                        \"defaultRGLocation\": {\n                          \"value\": \"[[variables('defaultRGLocation')]\"\n                        },\n                        \"workspaceResourceId\": {\n                          \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n                        },\n                        \"dcrName\": {\n                          \"value\": \"[[variables('dcrName')]\"\n                        },\n                        \"dcrId\": {\n                          \"value\": \"[[variables('dcrId')]\"\n                        },\n                        \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                          \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n                        }\n                      },\n                      \"template\": {\n                        \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                        \"contentVersion\": \"1.0.0.0\",\n                        \"parameters\": {\n                          \"defaultRGLocation\": {\n                            \"type\": \"string\"\n                          },\n                          \"workspaceResourceId\": {\n                            \"type\": \"string\"\n                          },\n                          \"dcrName\": {\n                            \"type\": \"string\"\n                          },\n                          \"dcrId\": {\n                            \"type\": \"string\"\n                          },\n                          \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                            \"type\": \"bool\"\n                          }\n                        },\n                        \"variables\": {},\n                        \"resources\": [\n                          {\n                            \"type\": \"Microsoft.Insights/dataCollectionRules\",\n                            \"name\": \"[[parameters('dcrName')]\",\n                            \"apiVersion\": \"2021-04-01\",\n                            \"location\": \"[[parameters('defaultRGLocation')]\",\n                            \"tags\": {\n                              \"createdBy\": \"MicrosoftDefenderForSQL\"\n                            },\n                            \"properties\": {\n                              \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n                              \"dataSources\": {\n                                \"extensions\": [\n                                  {\n                                    \"extensionName\": \"MicrosoftDefenderForSQL\",\n                                    \"name\": \"MicrosoftDefenderForSQL\",\n                                    \"streams\": [\n                                      \"Microsoft-DefenderForSqlAlerts\",\n                                      \"Microsoft-DefenderForSqlLogins\",\n                                      \"Microsoft-DefenderForSqlTelemetry\",\n                                      \"Microsoft-DefenderForSqlScanEvents\",\n                                      \"Microsoft-DefenderForSqlScanResults\"\n                                    ],\n                                    \"extensionSettings\": {\n                                      \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n                                    }\n                                  }\n                                ]\n                              },\n                              \"destinations\": {\n                                \"logAnalytics\": [\n                                  {\n                                    \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n                                    \"name\": \"LogAnalyticsDest\"\n                                  }\n                                ]\n                              },\n                              \"dataFlows\": [\n                                {\n                                  \"streams\": [\n                                    \"Microsoft-DefenderForSqlAlerts\",\n                                    \"Microsoft-DefenderForSqlLogins\",\n                                    \"Microsoft-DefenderForSqlTelemetry\",\n                                    \"Microsoft-DefenderForSqlScanEvents\",\n                                    \"Microsoft-DefenderForSqlScanResults\"\n                                  ],\n                                  \"destinations\": [\n                                    \"LogAnalyticsDest\"\n                                  ]\n                                }\n                              ]\n                            }\n                          }\n                        ]\n                      }\n                    }\n                  },\n                  {\n                    \"type\": \"Microsoft.Resources/deployments\",\n                    \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n                    \"dependsOn\": [\n                      \"[[variables('deployDataCollectionRules')]\"\n                    ],\n                    \"properties\": {\n                      \"mode\": \"Incremental\",\n                      \"expressionEvaluationOptions\": {\n                        \"scope\": \"inner\"\n                      },\n                      \"parameters\": {\n                        \"dcrId\": {\n                          \"value\": \"[[variables('dcrId')]\"\n                        },\n                        \"dcraName\": {\n                          \"value\": \"[[variables('dcraName')]\"\n                        }\n                      },\n                      \"template\": {\n                        \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                        \"contentVersion\": \"1.0.0.0\",\n                        \"parameters\": {\n                          \"dcrId\": {\n                            \"type\": \"string\"\n                          },\n                          \"dcraName\": {\n                            \"type\": \"string\"\n                          }\n                        },\n                        \"resources\": [\n                          {\n                            \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n                            \"name\": \"[[parameters('dcraName')]\",\n                            \"apiVersion\": \"2021-04-01\",\n                            \"properties\": {\n                              \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n                              \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n                            }\n                          }\n                        ]\n                      }\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"resourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"vmName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"userWorkspaceResourceId\": {\n                  \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n                },\n                \"workspaceRegion\": {\n                  \"value\": \"[[parameters('workspaceRegion')]\"\n                },\n                \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                  \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n                },\n                \"dcrName\": {\n                  \"value\": \"[[parameters('dcrName')]\"\n                },\n                \"dcrResourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"dcrId\": {\n                  \"value\": \"[[parameters('dcrId')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
+    "$fxv#114": "{\n  \"name\": \"Deploy-MDFC-SQL-AMA\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n    \"description\": \"Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"identityResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Identity Resource Group\",\n          \"description\": \"The name of the resource group created by the policy.\"\n        },\n        \"defaultValue\": \"\"\n      },\n      \"userAssignedIdentityName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"User Assigned Managed Identity Name\",\n          \"description\": \"The name of the user assigned managed identity.\"\n        },\n        \"defaultValue\": \"\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Compute/virtualMachines\"\n          },\n          {\n            \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n            \"like\": \"Windows*\"\n          },\n          {\n            \"field\": \"Microsoft.Compute/imagePublisher\",\n            \"equals\": \"microsoftsqlserver\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n          \"evaluationDelay\": \"AfterProvisioning\",\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n          ],\n          \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n                \"equals\": \"AzureMonitorWindowsAgent\"\n              },\n              {\n                \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n                \"equals\": \"Microsoft.Azure.Monitor\"\n              },\n              {\n                \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n                \"in\": [\n                  \"Succeeded\",\n                  \"Provisioning succeeded\"\n                ]\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"vmName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  },\n                  \"userAssignedManagedIdentity\": {\n                    \"type\": \"string\"\n                  },\n                  \"userAssignedIdentityName\": {\n                    \"type\": \"string\"\n                  },\n                  \"identityResourceGroup\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {\n                  \"extensionName\": \"AzureMonitorWindowsAgent\",\n                  \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n                  \"extensionType\": \"AzureMonitorWindowsAgent\",\n                  \"extensionTypeHandlerVersion\": \"1.2\"\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n                    \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"tags\": {\n                      \"createdBy\": \"MicrosoftDefenderForSQL\"\n                    },\n                    \"apiVersion\": \"2023-03-01\",\n                    \"properties\": {\n                      \"publisher\": \"[[variables('extensionPublisher')]\",\n                      \"type\": \"[[variables('extensionType')]\",\n                      \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n                      \"autoUpgradeMinorVersion\": true,\n                      \"enableAutomaticUpgrade\": true,\n                      \"settings\": {\n                        \"authentication\": {\n                          \"managedIdentity\": {\n                            \"identifier-name\": \"mi_res_id\",\n                            \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n                          }\n                        }\n                      }\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"vmName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"userAssignedManagedIdentity\": {\n                  \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n                },\n                \"userAssignedIdentityName\": {\n                  \"value\": \"[[parameters('userAssignedIdentityName')]\"\n                },\n                \"identityResourceGroup\": {\n                  \"value\": \"[[parameters('identityResourceGroup')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#115": "{\n  \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace\",\n    \"description\": \"Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"userWorkspaceResourceId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace Resource Id\",\n          \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"workspaceRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace region\",\n          \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n        \"type\": \"Boolean\",\n        \"metadata\": {\n          \"displayName\": \"Enable collection of SQL queries for security research\",\n          \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n        },\n        \"allowedValues\": [\n          true,\n          false\n        ],\n        \"defaultValue\": false\n      },\n      \"dcrName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Name\",\n          \"description\": \"Name of the Data Collection Rule.\"\n        }\n      },\n      \"dcrResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Resource Group\",\n          \"description\": \"Resource Group of the Data Collection Rule.\"\n        }\n      },\n      \"dcrId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Id\",\n          \"description\": \"Id of the Data Collection Rule.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Compute/virtualMachines\"\n          },\n          {\n            \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n            \"like\": \"Windows*\"\n          },\n          {\n            \"field\": \"Microsoft.Compute/imagePublisher\",\n            \"equals\": \"microsoftsqlserver\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/dataCollectionRules\",\n          \"evaluationDelay\": \"AfterProvisioning\",\n          \"deploymentScope\": \"subscription\",\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"location\",\n                \"equals\": \"[[parameters('workspaceRegion')]\"\n              },\n              {\n                \"field\": \"name\",\n                \"equals\": \"[[parameters('dcrName')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"eastus\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  },\n                  \"vmName\": {\n                    \"type\": \"string\"\n                  },\n                  \"userWorkspaceResourceId\": {\n                    \"type\": \"string\"\n                  },\n                  \"workspaceRegion\": {\n                    \"type\": \"string\"\n                  },\n                  \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                    \"type\": \"bool\"\n                  },\n                  \"dcrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrResourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrId\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {\n                  \"locationLongNameToShortMap\": {\n                    \"australiacentral\": \"CAU\",\n                    \"australiaeast\": \"EAU\",\n                    \"australiasoutheast\": \"SEAU\",\n                    \"brazilsouth\": \"CQ\",\n                    \"canadacentral\": \"CCA\",\n                    \"canadaeast\": \"CCA\",\n                    \"centralindia\": \"CIN\",\n                    \"centralus\": \"CUS\",\n                    \"eastasia\": \"EA\",\n                    \"eastus2euap\": \"eus2p\",\n                    \"eastus\": \"EUS\",\n                    \"eastus2\": \"EUS2\",\n                    \"francecentral\": \"PAR\",\n                    \"germanywestcentral\": \"DEWC\",\n                    \"japaneast\": \"EJP\",\n                    \"jioindiawest\": \"CIN\",\n                    \"koreacentral\": \"SE\",\n                    \"koreasouth\": \"SE\",\n                    \"northcentralus\": \"NCUS\",\n                    \"northeurope\": \"NEU\",\n                    \"norwayeast\": \"NOE\",\n                    \"southafricanorth\": \"JNB\",\n                    \"southcentralus\": \"SCUS\",\n                    \"southeastasia\": \"SEA\",\n                    \"southindia\": \"CIN\",\n                    \"swedencentral\": \"SEC\",\n                    \"switzerlandnorth\": \"CHN\",\n                    \"switzerlandwest\": \"CHW\",\n                    \"uaenorth\": \"DXB\",\n                    \"uksouth\": \"SUK\",\n                    \"ukwest\": \"WUK\",\n                    \"westcentralus\": \"WCUS\",\n                    \"westeurope\": \"WEU\",\n                    \"westindia\": \"CIN\",\n                    \"westus\": \"WUS\",\n                    \"westus2\": \"WUS2\"\n                  },\n                  \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n                  \"subscriptionId\": \"[[subscription().subscriptionId]\",\n                  \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n                  \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n                  \"dcrName\": \"[[parameters('dcrName')]\",\n                  \"dcrId\": \"[[parameters('dcrId')]\",\n                  \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n                  \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n                  \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n                  \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n                },\n                \"resources\": [\n                  {\n                    \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n                    \"type\": \"Microsoft.Resources/resourceGroups\",\n                    \"name\": \"[[variables('defaultRGName')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"location\": \"[[variables('defaultRGLocation')]\",\n                    \"tags\": {\n                      \"createdBy\": \"MicrosoftDefenderForSQL\"\n                    }\n                  },\n                  {\n                    \"type\": \"Microsoft.Resources/deployments\",\n                    \"name\": \"[[variables('deployDefenderForSQL')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n                    \"properties\": {\n                      \"mode\": \"Incremental\",\n                      \"expressionEvaluationOptions\": {\n                        \"scope\": \"inner\"\n                      },\n                      \"parameters\": {\n                        \"location\": {\n                          \"value\": \"[[parameters('location')]\"\n                        },\n                        \"vmName\": {\n                          \"value\": \"[[parameters('vmName')]\"\n                        }\n                      },\n                      \"template\": {\n                        \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                        \"contentVersion\": \"1.0.0.0\",\n                        \"parameters\": {\n                          \"location\": {\n                            \"type\": \"string\"\n                          },\n                          \"vmName\": {\n                            \"type\": \"string\"\n                          }\n                        },\n                        \"variables\": {},\n                        \"resources\": [\n                          {\n                            \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n                            \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n                            \"apiVersion\": \"2023-03-01\",\n                            \"location\": \"[[parameters('location')]\",\n                            \"tags\": {\n                              \"createdBy\": \"MicrosoftDefenderForSQL\"\n                            },\n                            \"properties\": {\n                              \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n                              \"type\": \"AdvancedThreatProtection.Windows\",\n                              \"typeHandlerVersion\": \"2.0\",\n                              \"autoUpgradeMinorVersion\": true,\n                              \"enableAutomaticUpgrade\": true\n                            }\n                          }\n                        ]\n                      }\n                    }\n                  },\n                  {\n                    \"condition\": \"[[empty(parameters('dcrId'))]\",\n                    \"type\": \"Microsoft.Resources/deployments\",\n                    \"name\": \"[[variables('deployDataCollectionRules')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"resourceGroup\": \"[[variables('defaultRGName')]\",\n                    \"dependsOn\": [\n                      \"[[variables('defaultRGName')]\"\n                    ],\n                    \"properties\": {\n                      \"mode\": \"Incremental\",\n                      \"expressionEvaluationOptions\": {\n                        \"scope\": \"inner\"\n                      },\n                      \"parameters\": {\n                        \"defaultRGLocation\": {\n                          \"value\": \"[[variables('defaultRGLocation')]\"\n                        },\n                        \"workspaceResourceId\": {\n                          \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n                        },\n                        \"dcrName\": {\n                          \"value\": \"[[variables('dcrName')]\"\n                        },\n                        \"dcrId\": {\n                          \"value\": \"[[variables('dcrId')]\"\n                        },\n                        \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                          \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n                        }\n                      },\n                      \"template\": {\n                        \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                        \"contentVersion\": \"1.0.0.0\",\n                        \"parameters\": {\n                          \"defaultRGLocation\": {\n                            \"type\": \"string\"\n                          },\n                          \"workspaceResourceId\": {\n                            \"type\": \"string\"\n                          },\n                          \"dcrName\": {\n                            \"type\": \"string\"\n                          },\n                          \"dcrId\": {\n                            \"type\": \"string\"\n                          },\n                          \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                            \"type\": \"bool\"\n                          }\n                        },\n                        \"variables\": {},\n                        \"resources\": [\n                          {\n                            \"type\": \"Microsoft.Insights/dataCollectionRules\",\n                            \"name\": \"[[parameters('dcrName')]\",\n                            \"apiVersion\": \"2021-04-01\",\n                            \"location\": \"[[parameters('defaultRGLocation')]\",\n                            \"tags\": {\n                              \"createdBy\": \"MicrosoftDefenderForSQL\"\n                            },\n                            \"properties\": {\n                              \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n                              \"dataSources\": {\n                                \"extensions\": [\n                                  {\n                                    \"extensionName\": \"MicrosoftDefenderForSQL\",\n                                    \"name\": \"MicrosoftDefenderForSQL\",\n                                    \"streams\": [\n                                      \"Microsoft-DefenderForSqlAlerts\",\n                                      \"Microsoft-DefenderForSqlLogins\",\n                                      \"Microsoft-DefenderForSqlTelemetry\",\n                                      \"Microsoft-DefenderForSqlScanEvents\",\n                                      \"Microsoft-DefenderForSqlScanResults\"\n                                    ],\n                                    \"extensionSettings\": {\n                                      \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n                                    }\n                                  }\n                                ]\n                              },\n                              \"destinations\": {\n                                \"logAnalytics\": [\n                                  {\n                                    \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n                                    \"name\": \"LogAnalyticsDest\"\n                                  }\n                                ]\n                              },\n                              \"dataFlows\": [\n                                {\n                                  \"streams\": [\n                                    \"Microsoft-DefenderForSqlAlerts\",\n                                    \"Microsoft-DefenderForSqlLogins\",\n                                    \"Microsoft-DefenderForSqlTelemetry\",\n                                    \"Microsoft-DefenderForSqlScanEvents\",\n                                    \"Microsoft-DefenderForSqlScanResults\"\n                                  ],\n                                  \"destinations\": [\n                                    \"LogAnalyticsDest\"\n                                  ]\n                                }\n                              ]\n                            }\n                          }\n                        ]\n                      }\n                    }\n                  },\n                  {\n                    \"type\": \"Microsoft.Resources/deployments\",\n                    \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n                    \"apiVersion\": \"2022-09-01\",\n                    \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n                    \"dependsOn\": [\n                      \"[[variables('deployDataCollectionRules')]\"\n                    ],\n                    \"properties\": {\n                      \"mode\": \"Incremental\",\n                      \"expressionEvaluationOptions\": {\n                        \"scope\": \"inner\"\n                      },\n                      \"parameters\": {\n                        \"dcrId\": {\n                          \"value\": \"[[variables('dcrId')]\"\n                        },\n                        \"dcraName\": {\n                          \"value\": \"[[variables('dcraName')]\"\n                        }\n                      },\n                      \"template\": {\n                        \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                        \"contentVersion\": \"1.0.0.0\",\n                        \"parameters\": {\n                          \"dcrId\": {\n                            \"type\": \"string\"\n                          },\n                          \"dcraName\": {\n                            \"type\": \"string\"\n                          }\n                        },\n                        \"resources\": [\n                          {\n                            \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n                            \"name\": \"[[parameters('dcraName')]\",\n                            \"apiVersion\": \"2021-04-01\",\n                            \"properties\": {\n                              \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n                              \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n                            }\n                          }\n                        ]\n                      }\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"resourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"vmName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"userWorkspaceResourceId\": {\n                  \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n                },\n                \"workspaceRegion\": {\n                  \"value\": \"[[parameters('workspaceRegion')]\"\n                },\n                \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n                  \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n                },\n                \"dcrName\": {\n                  \"value\": \"[[parameters('dcrName')]\"\n                },\n                \"dcrResourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"dcrId\": {\n                  \"value\": \"[[parameters('dcrId')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#116": "{\n  \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"displayName\": \"Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"description\": \"Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"workspaceRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace region\",\n          \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"dcrName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Name\",\n          \"description\": \"Name of the Data Collection Rule.\"\n        }\n      },\n      \"dcrResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Resource Group\",\n          \"description\": \"Resource Group of the Data Collection Rule.\"\n        }\n      },\n      \"dcrId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Id\",\n          \"description\": \"Id of the Data Collection Rule.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Compute/virtualMachines\"\n          },\n          {\n            \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n            \"like\": \"Windows*\"\n          },\n          {\n            \"field\": \"Microsoft.Compute/imagePublisher\",\n            \"equals\": \"microsoftsqlserver\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n          \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n          \"evaluationDelay\": \"AfterProvisioning\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n                \"equals\": \"AdvancedThreatProtection.Windows\"\n              },\n              {\n                \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n                \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n              },\n              {\n                \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n                \"in\": [\n                  \"Succeeded\",\n                  \"Provisioning succeeded\"\n                ]\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"location\": {\n                    \"type\": \"string\"\n                  },\n                  \"vmName\": {\n                    \"type\": \"string\"\n                  },\n                  \"workspaceRegion\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrResourceGroup\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"dcrId\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {\n                  \"locationLongNameToShortMap\": {\n                    \"australiacentral\": \"CAU\",\n                    \"australiaeast\": \"EAU\",\n                    \"australiasoutheast\": \"SEAU\",\n                    \"brazilsouth\": \"CQ\",\n                    \"canadacentral\": \"CCA\",\n                    \"canadaeast\": \"CCA\",\n                    \"centralindia\": \"CIN\",\n                    \"centralus\": \"CUS\",\n                    \"eastasia\": \"EA\",\n                    \"eastus2euap\": \"eus2p\",\n                    \"eastus\": \"EUS\",\n                    \"eastus2\": \"EUS2\",\n                    \"francecentral\": \"PAR\",\n                    \"germanywestcentral\": \"DEWC\",\n                    \"japaneast\": \"EJP\",\n                    \"jioindiawest\": \"CIN\",\n                    \"koreacentral\": \"SE\",\n                    \"koreasouth\": \"SE\",\n                    \"northcentralus\": \"NCUS\",\n                    \"northeurope\": \"NEU\",\n                    \"norwayeast\": \"NOE\",\n                    \"southafricanorth\": \"JNB\",\n                    \"southcentralus\": \"SCUS\",\n                    \"southeastasia\": \"SEA\",\n                    \"southindia\": \"CIN\",\n                    \"swedencentral\": \"SEC\",\n                    \"switzerlandnorth\": \"CHN\",\n                    \"switzerlandwest\": \"CHW\",\n                    \"uaenorth\": \"DXB\",\n                    \"uksouth\": \"SUK\",\n                    \"ukwest\": \"WUK\",\n                    \"westcentralus\": \"WCUS\",\n                    \"westeurope\": \"WEU\",\n                    \"westindia\": \"CIN\",\n                    \"westus\": \"WUS\",\n                    \"westus2\": \"WUS2\"\n                  },\n                  \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n                  \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n                  \"subscriptionId\": \"[[subscription().subscriptionId]\",\n                  \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n                  \"dcrName\": \"[[parameters('dcrName')]\",\n                  \"dcrId\": \"[[parameters('dcrId')]\",\n                  \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n                    \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n                    \"apiVersion\": \"2023-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"tags\": {\n                      \"createdBy\": \"MicrosoftDefenderForSQL\"\n                    },\n                    \"properties\": {\n                      \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n                      \"type\": \"AdvancedThreatProtection.Windows\",\n                      \"typeHandlerVersion\": \"2.0\",\n                      \"autoUpgradeMinorVersion\": true,\n                      \"enableAutomaticUpgrade\": true\n                    },\n                    \"dependsOn\": [\n                      \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n                    ]\n                  },\n                  {\n                    \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n                    \"name\": \"[[variables('dcraName')]\",\n                    \"apiVersion\": \"2021-04-01\",\n                    \"properties\": {\n                      \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n                      \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"vmName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"workspaceRegion\": {\n                  \"value\": \"[[parameters('workspaceRegion')]\"\n                },\n                \"dcrResourceGroup\": {\n                  \"value\": \"[[parameters('dcrResourceGroup')]\"\n                },\n                \"dcrName\": {\n                  \"value\": \"[[parameters('dcrName')]\"\n                },\n                \"dcrId\": {\n                  \"value\": \"[[parameters('dcrId')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#117": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#118": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#119": "{\n  \"name\": \"Deny-Databricks-NoPublicIp\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public IPs for Databricks cluster\",\n    \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n            \"notEquals\": true\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#12": "{\n  \"name\": \"Deny-AppServiceWebApp-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Web Application should only be accessible over HTTPS\",\n    \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"App Service\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Web/sites\"\n          },\n          {\n            \"field\": \"kind\",\n            \"like\": \"app*\"\n          },\n          {\n            \"field\": \"Microsoft.Web/sites/httpsOnly\",\n            \"equals\": \"false\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#120": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n    \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"maxNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Count\",\n          \"description\": \"Specifies the maximum node count of AML Clusters\"\n        },\n        \"defaultValue\": 10\n      },\n      \"minNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Minimum Node Count\",\n          \"description\": \"Specifies the minimum node count of AML Clusters\"\n        },\n        \"defaultValue\": 0\n      },\n      \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n          \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n        },\n        \"defaultValue\": 900\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n                \"greater\": \"[[parameters('maxNodeCount')]\"\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n                \"greater\": \"[[parameters('minNodeCount')]\"\n              },\n              {\n                \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n                \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#121": "{\n  \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n    \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#122": "{\n  \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n    \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"notEquals\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#123": "{\n  \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n    \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n            \"notEquals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#124": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#125": "{\n  \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
-    "$fxv#126": "{\n  \"name\": \"Deny-AFSPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n    \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n          },\n          {\n            \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n            \"notEquals\": \"AllowVirtualNetworksOnly\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#127": "{\n  \"name\": \"Deny-KeyVaultPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n    \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"2.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.KeyVault/vaults\"\n          },\n          {\n            \"not\": {\n              \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n              \"equals\": \"recover\"\n            }\n          },\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n            \"notEquals\": \"Deny\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#128": "{\n  \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        },\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"defaultValue\": \"True\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Resources/subscriptions\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"[[parameters('logsEnabled')]\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"chinaeast2\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"logAnalytics\": {\n                    \"type\": \"string\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"name\": \"subscriptionToLa\",\n                    \"type\": \"Microsoft.Insights/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"location\": \"Global\",\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Administrative\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Security\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ServiceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Alert\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Recommendation\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Policy\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ResourceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#129": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#120": "{\n  \"name\": \"Deny-Databricks-Sku\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny non-premium Databricks sku\",\n    \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n            \"notEquals\": \"premium\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
+    "$fxv#121": "{\n  \"name\": \"Deny-Databricks-VirtualNetwork\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n    \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n                \"exists\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#122": "{\n  \"name\": \"Deny-MachineLearning-Aks\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n    \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AKS\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#123": "{\n  \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#124": "{\n  \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"allowedVmSizes\": {\n        \"type\": \"Array\",\n        \"metadata\": {\n          \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n          \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n        },\n        \"defaultValue\": [\n          \"Standard_D1_v2\",\n          \"Standard_D2_v2\",\n          \"Standard_D3_v2\",\n          \"Standard_D4_v2\",\n          \"Standard_D11_v2\",\n          \"Standard_D12_v2\",\n          \"Standard_D13_v2\",\n          \"Standard_D14_v2\",\n          \"Standard_DS1_v2\",\n          \"Standard_DS2_v2\",\n          \"Standard_DS3_v2\",\n          \"Standard_DS4_v2\",\n          \"Standard_DS5_v2\",\n          \"Standard_DS11_v2\",\n          \"Standard_DS12_v2\",\n          \"Standard_DS13_v2\",\n          \"Standard_DS14_v2\",\n          \"Standard_M8-2ms\",\n          \"Standard_M8-4ms\",\n          \"Standard_M8ms\",\n          \"Standard_M16-4ms\",\n          \"Standard_M16-8ms\",\n          \"Standard_M16ms\",\n          \"Standard_M32-8ms\",\n          \"Standard_M32-16ms\",\n          \"Standard_M32ls\",\n          \"Standard_M32ms\",\n          \"Standard_M32ts\",\n          \"Standard_M64-16ms\",\n          \"Standard_M64-32ms\",\n          \"Standard_M64ls\",\n          \"Standard_M64ms\",\n          \"Standard_M64s\",\n          \"Standard_M128-32ms\",\n          \"Standard_M128-64ms\",\n          \"Standard_M128ms\",\n          \"Standard_M128s\",\n          \"Standard_M64\",\n          \"Standard_M64m\",\n          \"Standard_M128\",\n          \"Standard_M128m\",\n          \"Standard_D1\",\n          \"Standard_D2\",\n          \"Standard_D3\",\n          \"Standard_D4\",\n          \"Standard_D11\",\n          \"Standard_D12\",\n          \"Standard_D13\",\n          \"Standard_D14\",\n          \"Standard_DS15_v2\",\n          \"Standard_NV6\",\n          \"Standard_NV12\",\n          \"Standard_NV24\",\n          \"Standard_F2s_v2\",\n          \"Standard_F4s_v2\",\n          \"Standard_F8s_v2\",\n          \"Standard_F16s_v2\",\n          \"Standard_F32s_v2\",\n          \"Standard_F64s_v2\",\n          \"Standard_F72s_v2\",\n          \"Standard_NC6s_v3\",\n          \"Standard_NC12s_v3\",\n          \"Standard_NC24rs_v3\",\n          \"Standard_NC24s_v3\",\n          \"Standard_NC6\",\n          \"Standard_NC12\",\n          \"Standard_NC24\",\n          \"Standard_NC24r\",\n          \"Standard_ND6s\",\n          \"Standard_ND12s\",\n          \"Standard_ND24rs\",\n          \"Standard_ND24s\",\n          \"Standard_NC6s_v2\",\n          \"Standard_NC12s_v2\",\n          \"Standard_NC24rs_v2\",\n          \"Standard_NC24s_v2\",\n          \"Standard_ND40rs_v2\",\n          \"Standard_NV12s_v3\",\n          \"Standard_NV24s_v3\",\n          \"Standard_NV48s_v3\"\n        ]\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n            \"notIn\": \"[[parameters('allowedVmSizes')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#125": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n    \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"notEquals\": \"Disabled\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#126": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n    \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"maxNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Count\",\n          \"description\": \"Specifies the maximum node count of AML Clusters\"\n        },\n        \"defaultValue\": 10\n      },\n      \"minNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Minimum Node Count\",\n          \"description\": \"Specifies the minimum node count of AML Clusters\"\n        },\n        \"defaultValue\": 0\n      },\n      \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n          \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n        },\n        \"defaultValue\": 900\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n                \"greater\": \"[[parameters('maxNodeCount')]\"\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n                \"greater\": \"[[parameters('minNodeCount')]\"\n              },\n              {\n                \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n                \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#127": "{\n  \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n    \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#128": "{\n  \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n    \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"notEquals\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#129": "{\n  \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n    \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n            \"notEquals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#13": "{\n  \"name\": \"Deny-MySql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL database servers enforce SSL connections.\",\n    \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforMySQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#130": "{\n  \"name\": \"Deploy-MySQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMySQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#131": "{\n  \"name\": \"Deploy-PostgreSQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#132": "{\n  \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n    \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"privateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"afs\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-afs\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#133": "{\n  \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone ID\",\n          \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"vault\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"keyvault-privateDnsZone\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#134": "{\n  \"name\": \"Deploy-Private-DNS-Azure-Web\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Web PubSub\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone Id\",\n          \"description\": \"Private DNS zone to integrate with private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"webpubsub\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-webpubsub-azure-com\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#135": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#136": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#137": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#138": "{\n    \"name\": \"Audit-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused resources driving cost should be avoided\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n              ]\n        },\n        \"parameters\": {\n            \"effectDisks\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Disks Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectPublicIpAddresses\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PublicIpAddresses Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectServerFarms\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"ServerFarms Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDisks')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectServerFarms')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"Audit\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#139": "{\n  \"name\": \"Deploy-Sql-Security\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n    \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"vulnerabilityAssessmentsEmail\": {\n        \"metadata\": {\n          \"description\": \"The email address to send alerts\",\n          \"displayName\": \"The email address to send alerts\"\n        },\n        \"type\": \"String\"\n      },\n      \"vulnerabilityAssessmentsStorageID\": {\n        \"metadata\": {\n          \"description\": \"The storage account ID to store assessments\",\n          \"displayName\": \"The storage account ID to store assessments\"\n        },\n        \"type\": \"String\"\n      },\n      \"SqlDbTdeDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n          \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n        }\n      },\n      \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n          \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n        }\n      },\n      \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL database auditing settings\",\n          \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n        }\n      },\n      \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n          \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n          },\n          \"vulnerabilityAssessmentsEmail\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n          },\n          \"vulnerabilityAssessmentsStorageID\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#130": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#131": "{\n  \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
+    "$fxv#132": "{\n  \"name\": \"Deny-AFSPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n    \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n          },\n          {\n            \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n            \"notEquals\": \"AllowVirtualNetworksOnly\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#133": "{\n  \"name\": \"Deny-KeyVaultPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n    \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"2.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.KeyVault/vaults\"\n          },\n          {\n            \"not\": {\n              \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n              \"equals\": \"recover\"\n            }\n          },\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n            \"notEquals\": \"Deny\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#134": "{\n  \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        },\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"defaultValue\": \"True\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Resources/subscriptions\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"[[parameters('logsEnabled')]\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"chinaeast2\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"logAnalytics\": {\n                    \"type\": \"string\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"name\": \"subscriptionToLa\",\n                    \"type\": \"Microsoft.Insights/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"location\": \"Global\",\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Administrative\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Security\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ServiceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Alert\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Recommendation\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Policy\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ResourceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#135": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#136": "{\n  \"name\": \"Deploy-MySQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMySQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#137": "{\n  \"name\": \"Deploy-PostgreSQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#138": "{\n  \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n    \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"privateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"afs\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-afs\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#139": "{\n  \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone ID\",\n          \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"vault\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"keyvault-privateDnsZone\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
     "$fxv#14": "{\n  \"name\": \"Deny-PostgreSql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n    \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for PostgreSQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#140": "{\n  \"name\": \"Enforce-EncryptTransit\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n    \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"AppServiceHttpEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n          \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceTlsVersionEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n          \"description\": \"App Service. Appends the AppService sites object to ensure that  HTTPS only is enabled for  server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n          \"description\": \"App Service. Select version  minimum TLS version for a  Web App config to enforce\"\n        }\n      },\n      \"APIAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"FunctionLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"FunctionServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"WebAppServiceLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"WebAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"AKSIngressHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n          \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"deny\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ]\n      },\n      \"MySQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"MySQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n          \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"MySQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"PostgreSQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"PostgreSQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n          \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"PostgreSQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"PostgreSQL database servers. Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"RedisTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"RedisMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n          \"description\": \"Select version  minimum TLS version for a Azure Cache for Redis to enforce\"\n        }\n      },\n      \"RedisTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n          \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"SQLManagedInstanceTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLManagedInstanceMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n          \"description\": \"Select version  minimum TLS version for Azure Managed Instanceto to  enforce\"\n        }\n      },\n      \"SQLManagedInstanceTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"SQLServerTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLServerminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n          \"description\": \"Select version  minimum TLS version for Azure SQL Database to enforce\"\n        }\n      },\n      \"SQLServerTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"StorageDeployHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"StorageminimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_1\",\n          \"TLS1_0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage Account select minimum TLS version\",\n          \"description\": \"Select version  minimum TLS version on Azure Storage Account to enforce\"\n        }\n      },\n      \"StorageHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n          },\n          \"minTlsVersion\": {\n            \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#141": "{\n    \"name\": \"Enforce-Guardrails-KeyVault\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n        \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Key Vault\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effectKvSoftDelete\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvPurgeProtection\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvSecretsExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvKeysExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvFirewallEnabled\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvCertLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"audit\",\n                    \"Audit\",\n                    \"deny\",\n                    \"Deny\",\n                    \"disabled\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"maximumCertLifePercentageLife\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The maximum lifetime percentage\",\n                    \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n                },\n                \"defaultValue\": 80\n            },\n            \"minimumCertLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvKeysLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumKeysLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvSecretsLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumSecretsLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSoftDelete')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvCertLifetime')]\"\n                    },\n                    \"maximumPercentageLife\": {\n                        \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n                    },\n                    \"minimumDaysBeforeExpiry\": {\n                        \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#142": "{\n    \"name\": \"Enforce-ALZ-Decomm\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n      \"policyType\": \"Custom\",\n      \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n      \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"Decommissioned\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [ \n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"parameters\": {\n        \"listOfResourceTypesAllowed\":{\n          \"type\": \"Array\",\n          \"defaultValue\": [],\n          \"metadata\": {\n            \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n            \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n            \"strongType\": \"resourceTypes\"\n          }\n        }\n      },\n      \"policyDefinitions\": [\n        {\n          \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n          \"parameters\": {\n            \"listOfResourceTypesAllowed\": {\n              \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n            }\n          },\n          \"groupNames\": []\n        },\n        {\n            \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n            \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n            \"parameters\": {},\n            \"groupNames\": []\n          }\n      ],\n      \"policyDefinitionGroups\": null\n    }\n  }\n  ",
-    "$fxv#143": "{\n    \"name\": \"Enforce-ALZ-Sandbox\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n        \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Sandbox\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"listOfResourceTypesNotAllowed\": {\n                \"type\": \"Array\",\n                \"defaultValue\": [],\n                \"metadata\": {\n                    \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n                    \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n                    \"strongType\": \"resourceTypes\"\n                }\n            },\n            \"effectNotAllowedResources\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectDenyVnetPeering\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectNotAllowedResources')]\"\n                      },\n                    \"listOfResourceTypesNotAllowed\": {\n                        \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n                      }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#144": "{\n    \"name\": \"DenyAction-DeleteProtection\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n        \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#145": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"3.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"PostgreSQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n          \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MySQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n          \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MlPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n          \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"RedisCachePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n          \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BotServicePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Bot Service\",\n          \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AutomationPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Automation accounts\",\n          \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AppConfigPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Configuration\",\n          \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"FunctionPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Function apps\",\n          \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n          \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service apps\",\n          \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ApiManPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for API Management services\",\n          \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#146": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"2.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AVDScalingPlansLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#147": "{\n    \"name\": \"Deploy-MDFC-Config\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"metadata\": {\n            \"version\": \"6.0.1\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"emailSecurityContact\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"displayName\": \"Security contacts email address\",\n                    \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n                }\n            },\n            \"minimalSeverity\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"High\",\n                    \"Medium\",\n                    \"Low\"\n                ],\n                \"defaultValue\": \"High\",\n                \"metadata\": {\n                    \"displayName\": \"Minimal severity\",\n                    \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n                }\n            },\n            \"logAnalytics\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Primary Log Analytics workspace\",\n                    \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n                    \"strongType\": \"omsWorkspace\"\n                }\n            },\n            \"ascExportResourceGroupName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n                }\n            },\n            \"ascExportResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n                }\n            },\n            \"enableAscForCosmosDbs\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSql\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSqlOnVm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForDns\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForArm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForOssDb\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForAppServices\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForKeyVault\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForStorage\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForContainers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServersVulnerabilityAssessments\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"vulnerabilityAssessmentProvider\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"default\",\n                    \"mdeTvm\"\n                ],\n                \"defaultValue\": \"default\",\n                \"metadata\": {\n                    \"displayName\": \"Vulnerability assessment provider type\",\n                    \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n                }\n            },\n            \"enableAscForApis\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForCspm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForOssDb')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVM\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n                    },\n                    \"vaType\": {\n                        \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForAppServices')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForStorage')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforContainers\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    },\n                    \"logAnalyticsWorkspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForKeyVault')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForDns\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForDns')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForArm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForArm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSql')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForApis\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForApis')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCspm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCspm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"securityEmailContact\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n                \"parameters\": {\n                    \"emailSecurityContact\": {\n                        \"value\": \"[[parameters('emailSecurityContact')]\"\n                    },\n                    \"minimalSeverity\": {\n                        \"value\": \"[[parameters('minimalSeverity')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"ascExport\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n                \"parameters\": {\n                    \"resourceGroupName\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n                    },\n                    \"resourceGroupLocation\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n                    },\n                    \"workspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#148": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"2.1.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationWebhookPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosMongoPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosCassandraPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosGremlinPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosTablePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPortalPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDatabricksPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureHDInsightPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMigratePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMigratePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueuePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueueSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLODPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseDevPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesKeyPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesLivePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesStreamPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId1\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId2\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId3\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId4\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId5\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Webhook\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"DSCAndHybridWorker\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"SQL\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"MongoDB\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Cassandra\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Gremlin\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Table\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"dataFactory\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"portal\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-UI-Api\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"databricks_ui_api\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-Browser-AuthN\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"browser_authentication\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"cluster\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Sql\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"SqlOnDemand\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Dev\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"keydelivery\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"liveevent\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"streamingendpoint\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n        \"parameters\": {\n          \"privateDnsZoneId1\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n          },\n          \"privateDnsZoneId2\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n          },\n          \"privateDnsZoneId3\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n          },\n          \"privateDnsZoneId4\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n          },\n          \"privateDnsZoneId5\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#149": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"HealthcareAPIsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n          \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#140": "{\n  \"name\": \"Deploy-Private-DNS-Azure-Web\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Web PubSub\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone Id\",\n          \"description\": \"Private DNS zone to integrate with private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"webpubsub\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-webpubsub-azure-com\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#141": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#142": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#143": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#144": "{\n    \"name\": \"Audit-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused resources driving cost should be avoided\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n              ]\n        },\n        \"parameters\": {\n            \"effectDisks\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Disks Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectPublicIpAddresses\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PublicIpAddresses Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectServerFarms\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"ServerFarms Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDisks')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectServerFarms')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"Audit\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#145": "{\n  \"name\": \"Deploy-Sql-Security\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n    \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"vulnerabilityAssessmentsEmail\": {\n        \"metadata\": {\n          \"description\": \"The email address to send alerts\",\n          \"displayName\": \"The email address to send alerts\"\n        },\n        \"type\": \"String\"\n      },\n      \"vulnerabilityAssessmentsStorageID\": {\n        \"metadata\": {\n          \"description\": \"The storage account ID to store assessments\",\n          \"displayName\": \"The storage account ID to store assessments\"\n        },\n        \"type\": \"String\"\n      },\n      \"SqlDbTdeDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n          \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n        }\n      },\n      \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n          \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n        }\n      },\n      \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL database auditing settings\",\n          \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n        }\n      },\n      \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n          \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n          },\n          \"vulnerabilityAssessmentsEmail\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n          },\n          \"vulnerabilityAssessmentsStorageID\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#146": "{\n  \"name\": \"Enforce-EncryptTransit\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n    \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n    \"metadata\": {\n      \"version\": \"2.1.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"AppServiceHttpEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n          \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceTlsVersionEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n          \"description\": \"App Service. Appends the AppService sites object to ensure that  HTTPS only is enabled for  server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n          \"description\": \"App Service. Select version  minimum TLS version for a  Web App config to enforce\"\n        }\n      },\n      \"APIAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"FunctionLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"FunctionServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"WebAppServiceLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"WebAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"AKSIngressHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n          \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"deny\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ]\n      },\n      \"MySQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"MySQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n          \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"MySQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"PostgreSQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"PostgreSQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n          \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"PostgreSQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"PostgreSQL database servers. Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"RedisTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"RedisMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n          \"description\": \"Select version  minimum TLS version for a Azure Cache for Redis to enforce\"\n        }\n      },\n      \"RedisTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n          \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"SQLManagedInstanceTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLManagedInstanceMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n          \"description\": \"Select version  minimum TLS version for Azure Managed Instanceto to  enforce\"\n        }\n      },\n      \"SQLManagedInstanceTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"SQLServerTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLServerminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n          \"description\": \"Select version  minimum TLS version for Azure SQL Database to enforce\"\n        }\n      },\n      \"SQLServerTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"StorageDeployHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"StorageminimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_1\",\n          \"TLS1_0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage Account select minimum TLS version\",\n          \"description\": \"Select version  minimum TLS version on Azure Storage Account to enforce\"\n        }\n      },\n      \"StorageHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"ContainerAppsHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n          \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n          },\n          \"minTlsVersion\": {\n            \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#147": "{\n    \"name\": \"Enforce-Guardrails-KeyVault\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n        \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Key Vault\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effectKvSoftDelete\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvPurgeProtection\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvSecretsExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvKeysExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvFirewallEnabled\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvCertLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"audit\",\n                    \"Audit\",\n                    \"deny\",\n                    \"Deny\",\n                    \"disabled\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"maximumCertLifePercentageLife\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The maximum lifetime percentage\",\n                    \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n                },\n                \"defaultValue\": 80\n            },\n            \"minimumCertLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvKeysLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumKeysLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvSecretsLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumSecretsLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSoftDelete')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvCertLifetime')]\"\n                    },\n                    \"maximumPercentageLife\": {\n                        \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n                    },\n                    \"minimumDaysBeforeExpiry\": {\n                        \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#148": "{\n    \"name\": \"Enforce-ALZ-Decomm\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n      \"policyType\": \"Custom\",\n      \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n      \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"Decommissioned\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [ \n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"parameters\": {\n        \"listOfResourceTypesAllowed\":{\n          \"type\": \"Array\",\n          \"defaultValue\": [],\n          \"metadata\": {\n            \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n            \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n            \"strongType\": \"resourceTypes\"\n          }\n        }\n      },\n      \"policyDefinitions\": [\n        {\n          \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n          \"parameters\": {\n            \"listOfResourceTypesAllowed\": {\n              \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n            }\n          },\n          \"groupNames\": []\n        },\n        {\n            \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n            \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n            \"parameters\": {},\n            \"groupNames\": []\n          }\n      ],\n      \"policyDefinitionGroups\": null\n    }\n  }\n  ",
+    "$fxv#149": "{\n    \"name\": \"Enforce-ALZ-Sandbox\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n        \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Sandbox\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"listOfResourceTypesNotAllowed\": {\n                \"type\": \"Array\",\n                \"defaultValue\": [],\n                \"metadata\": {\n                    \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n                    \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n                    \"strongType\": \"resourceTypes\"\n                }\n            },\n            \"effectNotAllowedResources\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectDenyVnetPeering\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectNotAllowedResources')]\"\n                      },\n                    \"listOfResourceTypesNotAllowed\": {\n                        \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n                      }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
     "$fxv#15": "{\n  \"name\": \"Deny-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny the creation of private DNS\",\n    \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/privateDnsZones\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#150": "{\n    \"name\": \"Enforce-ACSB\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n        \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Guest Configuration\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"includeArcMachines\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"true\",\n                    \"false\"\n                ],\n                \"metadata\": {\n                    \"displayName\": \"Include Arc connected servers\",\n                    \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n                },\n                \"defaultValue\": \"true\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"AuditIfNotExists\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"GcIdentity\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"WinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"LinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}\n",
-    "$fxv#151": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#152": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#153": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#154": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#155": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#156": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#157": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#158": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForDns\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForArm\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForStorage\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForStorage')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForDns\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForDns')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForArm\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForArm')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#159": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#150": "{\n    \"name\": \"DenyAction-DeleteProtection\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n        \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#151": "{\n    \"name\": \"Deploy-AUM-CheckUpdates\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n        \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"assessmentMode\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Assessment mode\",\n                    \"description\": \"Assessment mode for the machines.\"\n                },\n                \"allowedValues\": [\n                    \"ImageDefault\",\n                    \"AutomaticByPlatform\"\n                ],\n                \"defaultValue\": \"AutomaticByPlatform\"\n            },\n            \"locations\": {\n                \"type\": \"Array\",\n                \"metadata\": {\n                    \"displayName\": \"Machines locations\",\n                    \"description\": \"The list of locations from which machines need to be targeted.\",\n                    \"strongType\": \"location\"\n                },\n                \"defaultValue\": []\n            },\n            \"tagValues\": {\n                \"type\": \"Object\",\n                \"metadata\": {\n                    \"displayName\": \"Tags on machines\",\n                    \"description\": \"The list of tags that need to matched for getting target machines.\"\n                },\n                \"defaultValue\": {}\n            },\n            \"tagOperator\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag operator\",\n                    \"description\": \"Matching condition for resource tags\"\n                },\n                \"allowedValues\": [\n                    \"All\",\n                    \"Any\"\n                ],\n                \"defaultValue\": \"Any\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n                \"parameters\": {\n                    \"assessmentMode\": {\n                        \"value\": \"[[parameters('assessmentMode')]\"\n                    },\n                    \"osType\": {\n                        \"value\": \"Windows\"\n                    },\n                    \"locations\": {\n                        \"value\": \"[[parameters('locations')]\"\n                    },\n                    \"tagValues\": {\n                        \"value\": \"[[parameters('tagValues')]\"\n                    },\n                    \"tagOperator\": {\n                        \"value\": \"[[parameters('tagOperator')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n                \"parameters\": {\n                    \"assessmentMode\": {\n                        \"value\": \"[[parameters('assessmentMode')]\"\n                    },\n                    \"osType\": {\n                        \"value\": \"Linux\"\n                    },\n                    \"locations\": {\n                        \"value\": \"[[parameters('locations')]\"\n                    },\n                    \"tagValues\": {\n                        \"value\": \"[[parameters('tagValues')]\"\n                    },\n                    \"tagOperator\": {\n                        \"value\": \"[[parameters('tagOperator')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n                \"parameters\": {\n                    \"assessmentMode\": {\n                        \"value\": \"[[parameters('assessmentMode')]\"\n                    },\n                    \"osType\": {\n                        \"value\": \"Windows\"\n                    },\n                    \"locations\": {\n                        \"value\": \"[[parameters('locations')]\"\n                    },\n                    \"tagValues\": {\n                        \"value\": \"[[parameters('tagValues')]\"\n                    },\n                    \"tagOperator\": {\n                        \"value\": \"[[parameters('tagOperator')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n                \"parameters\": {\n                    \"assessmentMode\": {\n                        \"value\": \"[[parameters('assessmentMode')]\"\n                    },\n                    \"osType\": {\n                        \"value\": \"Linux\"\n                    },\n                    \"locations\": {\n                        \"value\": \"[[parameters('locations')]\"\n                    },\n                    \"tagValues\": {\n                        \"value\": \"[[parameters('tagValues')]\"\n                    },\n                    \"tagOperator\": {\n                        \"value\": \"[[parameters('tagOperator')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#152": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"3.2.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"PostgreSQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n          \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MySQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n          \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MlPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n          \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"RedisCachePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n          \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BotServicePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Bot Service\",\n          \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AutomationPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Automation accounts\",\n          \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AppConfigPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Configuration\",\n          \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"FunctionPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Function apps\",\n          \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n          \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service apps\",\n          \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ApiManPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for API Management services\",\n          \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      },\n      \"ContainerAppsEnvironmentDenyEffect\" : {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Container Apps environment should disable public network access\",\n          \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#153": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"2.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AVDScalingPlansLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#154": "{\n    \"name\": \"Deploy-MDFC-Config\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"metadata\": {\n            \"version\": \"7.0.0\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"emailSecurityContact\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"displayName\": \"Security contacts email address\",\n                    \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n                }\n            },\n            \"minimalSeverity\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"High\",\n                    \"Medium\",\n                    \"Low\"\n                ],\n                \"defaultValue\": \"High\",\n                \"metadata\": {\n                    \"displayName\": \"Minimal severity\",\n                    \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n                }\n            },\n            \"logAnalytics\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Primary Log Analytics workspace\",\n                    \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n                    \"strongType\": \"omsWorkspace\"\n                }\n            },\n            \"ascExportResourceGroupName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n                }\n            },\n            \"ascExportResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n                }\n            },\n            \"enableAscForCosmosDbs\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSql\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSqlOnVm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForDns\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForArm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForOssDb\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForAppServices\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForKeyVault\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForStorage\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForContainers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServersVulnerabilityAssessments\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"vulnerabilityAssessmentProvider\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"default\",\n                    \"mdeTvm\"\n                ],\n                \"defaultValue\": \"default\",\n                \"metadata\": {\n                    \"displayName\": \"Vulnerability assessment provider type\",\n                    \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n                }\n            },\n            \"enableAscForApis\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForCspm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForOssDb')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVM\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n                    },\n                    \"vaType\": {\n                        \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForAppServices')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForStorage')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforContainers\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    },\n                    \"logAnalyticsWorkspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForKeyVault')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForDns\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForDns')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForArm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForArm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSql')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForApis\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForApis')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCspm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCspm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"securityEmailContact\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n                \"parameters\": {\n                    \"emailSecurityContact\": {\n                        \"value\": \"[[parameters('emailSecurityContact')]\"\n                    },\n                    \"minimalSeverity\": {\n                        \"value\": \"[[parameters('minimalSeverity')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"ascExport\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n                \"parameters\": {\n                    \"resourceGroupName\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n                    },\n                    \"resourceGroupLocation\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n                    },\n                    \"workspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n                \"parameters\": {\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#155": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"2.1.2\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationWebhookPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosMongoPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosCassandraPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosGremlinPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosTablePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPortalPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDatabricksPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureHDInsightPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMigratePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMigratePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueuePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueueSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLODPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseDevPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesKeyPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesLivePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesStreamPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId1\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId2\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId3\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId4\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId5\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Webhook\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"DSCAndHybridWorker\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"SQL\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"MongoDB\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Cassandra\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Gremlin\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Table\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"dataFactory\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"portal\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"databricks_ui_api\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"browser_authentication\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"cluster\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Sql\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"SqlOnDemand\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Dev\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"keydelivery\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"liveevent\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"streamingendpoint\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n        \"parameters\": {\n          \"privateDnsZoneId1\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n          },\n          \"privateDnsZoneId2\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n          },\n          \"privateDnsZoneId3\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n          },\n          \"privateDnsZoneId4\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n          },\n          \"privateDnsZoneId5\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#156": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"HealthcareAPIsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n          \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#157": "{\n    \"name\": \"Enforce-ACSB\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n        \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Guest Configuration\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"includeArcMachines\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"true\",\n                    \"false\"\n                ],\n                \"metadata\": {\n                    \"displayName\": \"Include Arc connected servers\",\n                    \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n                },\n                \"defaultValue\": \"true\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"AuditIfNotExists\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"GcIdentity\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"WinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"LinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}\n",
+    "$fxv#158": "{\n  \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace\",\n    \"description\": \"Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"workspaceRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace region\",\n          \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"dcrName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Name\",\n          \"description\": \"Name of the Data Collection Rule.\"\n        }\n      },\n      \"dcrResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Resource Group\",\n          \"description\": \"Resource Group of the Data Collection Rule.\"\n        }\n      },\n      \"dcrId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Data Collection Rule Id\",\n          \"description\": \"Id of the Data Collection Rule.\"\n        }\n      },\n      \"userWorkspaceResourceId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Workspace Resource Id\",\n          \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n        \"type\": \"Boolean\",\n        \"metadata\": {\n          \"displayName\": \"Enable collection of SQL queries for security research\",\n          \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n        },\n        \"allowedValues\": [\n          true,\n          false\n        ],\n        \"defaultValue\": false\n      },\n      \"identityResourceGroup\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Identity Resource Group\",\n          \"description\": \"The name of the resource group created by the policy.\"\n        },\n        \"defaultValue\": \"\"\n      },\n      \"userAssignedIdentityName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"User Assigned Managed Identity Name\",\n          \"description\": \"The name of the user assigned managed identity.\"\n        },\n        \"defaultValue\": \"\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          },\n          \"userWorkspaceResourceId\": {\n            \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n          },\n          \"workspaceRegion\": {\n            \"value\": \"[[parameters('workspaceRegion')]\"\n          },\n          \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n            \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n          },\n          \"dcrName\": {\n            \"value\": \"[[parameters('dcrName')]\"\n          },\n          \"dcrResourceGroup\": {\n            \"value\": \"[[parameters('dcrResourceGroup')]\"\n          },\n          \"dcrId\": {\n            \"value\": \"[[parameters('dcrId')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          },\n          \"workspaceRegion\": {\n            \"value\": \"[[parameters('workspaceRegion')]\"\n          },\n          \"dcrName\": {\n            \"value\": \"[[parameters('dcrName')]\"\n          },\n          \"dcrResourceGroup\": {\n            \"value\": \"[[parameters('dcrResourceGroup')]\"\n          },\n          \"dcrId\": {\n            \"value\": \"[[parameters('dcrId')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          },\n          \"identityResourceGroup\": {\n            \"value\": \"[[parameters('identityResourceGroup')]\"\n          },\n          \"userAssignedIdentityName\": {\n            \"value\": \"[[parameters('userAssignedIdentityName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          },\n          \"workspaceRegion\": {\n            \"value\": \"[[parameters('workspaceRegion')]\"\n          },\n          \"dcrResourceGroup\": {\n            \"value\": \"[[parameters('dcrResourceGroup')]\"\n          },\n          \"dcrName\": {\n            \"value\": \"[[parameters('dcrName')]\"\n          },\n          \"dcrId\": {\n            \"value\": \"[[parameters('dcrId')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          },\n          \"userWorkspaceResourceId\": {\n            \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n          },\n          \"workspaceRegion\": {\n            \"value\": \"[[parameters('workspaceRegion')]\"\n          },\n          \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n            \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n          },\n          \"dcrName\": {\n            \"value\": \"[[parameters('dcrName')]\"\n          },\n          \"dcrResourceGroup\": {\n            \"value\": \"[[parameters('dcrResourceGroup')]\"\n          },\n          \"dcrId\": {\n            \"value\": \"[[parameters('dcrId')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#159": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#16": "{\n  \"name\": \"Deny-PublicEndpoint-MariaDB\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n    \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforMariaDB/servers\"\n          },\n          {\n            \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n            \"notequals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#160": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#160": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#161": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#162": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#163": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#164": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#165": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#166": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForDns\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForArm\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForStorage\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForStorage')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForDns\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForDns')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForArm\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForArm')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#167": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#168": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#17": "{\n  \"name\": \"Deny-PublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n    \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n    \"metadata\": {\n      \"deprecated\": true,\n      \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/publicIPAddresses\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
     "$fxv#18": "{\n  \"name\": \"Deny-RDP-From-Internet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n    \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n    \"metadata\": {\n      \"deprecated\": true,\n      \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n      \"version\": \"1.0.1-deprecated\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n          },\n          {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                \"equals\": \"Allow\"\n              },\n              {\n                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                \"equals\": \"Inbound\"\n              },\n              {\n                \"anyOf\": [\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                    \"equals\": \"*\"\n                  },\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                    \"equals\": \"3389\"\n                  },\n                  {\n                    \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n                    \"equals\": \"true\"\n                  },\n                  {\n                    \"count\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"where\": {\n                        \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n                        \"equals\": \"true\"\n                      }\n                    },\n                    \"greater\": 0\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"notEquals\": \"*\"\n                    }\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"notEquals\": \"3389\"\n                    }\n                  }\n                ]\n              },\n              {\n                \"anyOf\": [\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                    \"equals\": \"*\"\n                  },\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                    \"equals\": \"Internet\"\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                      \"notEquals\": \"*\"\n                    }\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                      \"notEquals\": \"Internet\"\n                    }\n                  }\n                ]\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#19": "{\n    \"name\": \"Deny-MgmtPorts-From-Internet\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Management port access from the Internet should be blocked\",\n        \"description\": \"This policy denies any network security rule that allows management port access from the Internet\",\n        \"metadata\": {\n            \"version\": \"2.1.0\",\n            \"category\": \"Network\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"ports\": {\n                \"type\": \"Array\",\n                \"metadata\": {\n                    \"displayName\": \"Ports\",\n                    \"description\": \"Ports to be blocked\"\n                },\n                \"defaultValue\": [\n                    \"22\",\n                    \"3389\"\n                ]\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"anyOf\": [\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n                            },\n                            {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                                        \"equals\": \"Allow\"\n                                    },\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                                        \"equals\": \"Inbound\"\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"in\": \"[[parameters('ports')]\"\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"where\": {\n                                                        \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n                                                        \"equals\": \"true\"\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"name\": \"ports\",\n                                                    \"where\": {\n                                                        \"count\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notIn\": \"[[parameters('ports')]\"\n                                                }\n                                            }\n                                        ]\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"Internet\"\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"Internet\"\n                                                }\n                                            }\n                                        ]\n                                    }\n                                ]\n                            }\n                        ]\n                    },\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n                            },\n                            {\n                                \"count\": {\n                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n                                    \"where\": {\n                                        \"allOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n                                                \"equals\": \"Allow\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n                                                \"equals\": \"Inbound\"\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"in\": \"[[parameters('ports')]\"\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"count\": {\n                                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                                    \"where\": {\n                                                                        \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                        \"equals\": \"true\"\n                                                                    }\n                                                                },\n                                                                \"greater\": 0\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notIn\": \"[[parameters('ports')]\"\n                                                        }\n                                                    }\n                                                ]\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"Internet\"\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"Internet\"\n                                                        }\n                                                    }\n                                                ]\n                                            }\n                                        ]\n                                    }\n                                },\n                                \"greater\": 0\n                            }\n                        ]\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\"\n            }\n        }\n    }\n}",
+    "$fxv#19": "{\n    \"name\": \"Deny-MgmtPorts-From-Internet\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Management port access from the Internet should be blocked\",\n        \"description\": \"This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.\",\n        \"metadata\": {\n            \"version\": \"2.1.1\",\n            \"category\": \"Network\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"ports\": {\n                \"type\": \"Array\",\n                \"metadata\": {\n                    \"displayName\": \"Ports\",\n                    \"description\": \"Ports to be blocked\"\n                },\n                \"defaultValue\": [\n                    \"22\",\n                    \"3389\"\n                ]\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"anyOf\": [\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n                            },\n                            {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                                        \"equals\": \"Allow\"\n                                    },\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                                        \"equals\": \"Inbound\"\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"in\": \"[[parameters('ports')]\"\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"where\": {\n                                                        \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n                                                        \"equals\": \"true\"\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"name\": \"ports\",\n                                                    \"where\": {\n                                                        \"count\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notIn\": \"[[parameters('ports')]\"\n                                                }\n                                            }\n                                        ]\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"Internet\"\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"Internet\"\n                                                }\n                                            }\n                                        ]\n                                    }\n                                ]\n                            }\n                        ]\n                    },\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n                            },\n                            {\n                                \"count\": {\n                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n                                    \"where\": {\n                                        \"allOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n                                                \"equals\": \"Allow\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n                                                \"equals\": \"Inbound\"\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"in\": \"[[parameters('ports')]\"\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"count\": {\n                                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                                    \"where\": {\n                                                                        \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                        \"equals\": \"true\"\n                                                                    }\n                                                                },\n                                                                \"greater\": 0\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notIn\": \"[[parameters('ports')]\"\n                                                        }\n                                                    }\n                                                ]\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"Internet\"\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"Internet\"\n                                                        }\n                                                    }\n                                                ]\n                                            }\n                                        ]\n                                    }\n                                },\n                                \"greater\": 0\n                            }\n                        ]\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\"\n            }\n        }\n    }\n}\n",
     "$fxv#2": "{\n  \"name\": \"Append-KV-SoftDelete\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"KeyVault SoftDelete should be enabled\",\n    \"description\": \"This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {},\n    \"policyRule\": {\n      \"if\": {\n        \"anyOf\": [\n          {\n            \"allOf\": [\n              {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.KeyVault/vaults\"\n              },\n              {\n                \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"append\",\n        \"details\": [\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n            \"value\": true\n          }\n        ]\n      }\n    }\n  }\n}\n",
     "$fxv#20": "{\n  \"name\": \"Deny-Redis-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Azure Cache for Redis only secure connections should be enabled\",\n    \"description\": \"Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Cache\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n        }\n      },\n      \"minimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.1\",\n          \"1.0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select minumum TLS version for Azure Cache for Redis.\",\n          \"description\": \"Select minimum TLS version for Azure Cache for Redis.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Cache/redis\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n                \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#21": "{\n  \"name\": \"Deny-Sql-minTLS\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Azure SQL Database should have the minimal TLS version set to the highest version\",\n    \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Audit\"\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.1\",\n          \"1.0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version for SQL server\",\n          \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Sql/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
@@ -241,7 +249,7 @@
     "$fxv#64": "{\n  \"name\": \"Deploy-Diagnostics-LoadBalancer\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"metricsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable metrics\",\n          \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/loadBalancers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"metricsEnabled\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/loadBalancers/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [\n                        {\n                          \"category\": \"AllMetrics\",\n                          \"timeGrain\": null,\n                          \"enabled\": \"[[parameters('metricsEnabled')]\",\n                          \"retentionPolicy\": {\n                            \"enabled\": false,\n                            \"days\": 0\n                          }\n                        }\n                      ],\n                      \"logs\": [\n                        {\n                          \"category\": \"LoadBalancerAlertEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"LoadBalancerProbeHealthStatus\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"metricsEnabled\": {\n                  \"value\": \"[[parameters('metricsEnabled')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
     "$fxv#65": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"metricsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable metrics\",\n          \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"microsoft.operationalinsights/workspaces\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"metricsEnabled\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"microsoft.operationalinsights/workspaces/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [\n                        {\n                          \"category\": \"AllMetrics\",\n                          \"enabled\": \"[[parameters('metricsEnabled')]\",\n                          \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                          },\n                          \"timeGrain\": null\n                        }\n                      ],\n                      \"logs\": [\n                        {\n                          \"category\": \"Audit\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"metricsEnabled\": {\n                  \"value\": \"[[parameters('metricsEnabled')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
     "$fxv#66": "{\n  \"name\": \"Deploy-Diagnostics-LogicAppsISE\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Logic/integrationAccounts\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [],\n                      \"logs\": [\n                        {\n                          \"category\": \"IntegrationAccountTrackingEvents\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
-    "$fxv#67": "{\n  \"name\": \"Deploy-Diagnostics-MariaDB\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"metricsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable metrics\",\n          \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMariaDB/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"metricsEnabled\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [\n                        {\n                          \"category\": \"AllMetrics\",\n                          \"enabled\": \"[[parameters('metricsEnabled')]\",\n                          \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                          },\n                          \"timeGrain\": null\n                        }\n                      ],\n                      \"logs\": [\n                        {\n                          \"category\": \"MySqlSlowLogs\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"MySqlAuditLogs\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"metricsEnabled\": {\n                  \"value\": \"[[parameters('metricsEnabled')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
+    "$fxv#67": "{\n  \"name\": \"Deploy-Diagnostics-MariaDB\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace\",\n    \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb\",\n    \"metadata\": {\n      \"version\": \"1.1.0-deprecated\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"metricsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable metrics\",\n          \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMariaDB/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"metricsEnabled\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [\n                        {\n                          \"category\": \"AllMetrics\",\n                          \"enabled\": \"[[parameters('metricsEnabled')]\",\n                          \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                          },\n                          \"timeGrain\": null\n                        }\n                      ],\n                      \"logs\": [\n                        {\n                          \"category\": \"MySqlSlowLogs\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"MySqlAuditLogs\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"metricsEnabled\": {\n                  \"value\": \"[[parameters('metricsEnabled')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
     "$fxv#68": "{\n  \"name\": \"Deploy-Diagnostics-MediaService\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"metricsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable metrics\",\n          \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Media/mediaServices\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"metricsEnabled\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Media/mediaServices/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [\n                        {\n                          \"category\": \"AllMetrics\",\n                          \"enabled\": \"[[parameters('metricsEnabled')]\",\n                          \"retentionPolicy\": {\n                            \"days\": 0,\n                            \"enabled\": false\n                          },\n                          \"timeGrain\": null\n                        }\n                      ],\n                      \"logs\": [\n                        {\n                          \"category\": \"KeyDeliveryRequests\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"metricsEnabled\": {\n                  \"value\": \"[[parameters('metricsEnabled')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
     "$fxv#69": "{\n  \"name\": \"Deploy-Diagnostics-MlWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\",\n    \"metadata\": {\n      \"version\": \"1.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"metricsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable metrics\",\n          \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"metricsEnabled\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"metrics\": [\n                        {\n                          \"category\": \"AllMetrics\",\n                          \"enabled\": \"[[parameters('metricsEnabled')]\",\n                          \"retentionPolicy\": {\n                            \"enabled\": false,\n                            \"days\": 0\n                          }\n                        }\n                      ],\n                      \"logs\": [\n                        {\n                          \"category\": \"AmlComputeClusterEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"AmlComputeClusterNodeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"AmlComputeJobEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"AmlComputeCpuGpuUtilization\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"AmlRunStatusChangedEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ModelsChangeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ModelsReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ModelsActionEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DeploymentReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DeploymentEventACI\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DeploymentEventAKS\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"InferencingOperationAKS\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"InferencingOperationACI\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DataLabelChangeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DataLabelReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ComputeInstanceEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DataStoreChangeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DataStoreReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DataSetChangeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"DataSetReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"PipelineChangeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"PipelineReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"RunEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"RunReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"EnvironmentChangeEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"EnvironmentReadEvent\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"metricsEnabled\": {\n                  \"value\": \"[[parameters('metricsEnabled')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
     "$fxv#7": "{\n    \"name\": \"Audit-ServerFarms-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused App Service plans driving cost should be avoided\",\n        \"mode\": \"All\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"allOf\": [\n                    {\n                        \"field\": \"type\",\n                        \"equals\": \"Microsoft.Web/serverfarms\"\n                    },\n                    {\n                        \"field\": \"Microsoft.Web/serverFarms/sku.tier\",\n                        \"notEquals\": \"Free\"\n                    },\n                    {\n                        \"field\": \"Microsoft.Web/serverFarms/numberOfSites\",\n                        \"equals\": 0\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\"\n            }\n        }\n    }\n}",
@@ -406,15 +414,15 @@
         "[variables('$fxv#107')]",
         "[variables('$fxv#108')]",
         "[variables('$fxv#109')]",
-        "[variables('$fxv#110')]"
-      ],
-      "AzureCloud": [
+        "[variables('$fxv#110')]",
         "[variables('$fxv#111')]",
         "[variables('$fxv#112')]",
         "[variables('$fxv#113')]",
         "[variables('$fxv#114')]",
         "[variables('$fxv#115')]",
-        "[variables('$fxv#116')]",
+        "[variables('$fxv#116')]"
+      ],
+      "AzureCloud": [
         "[variables('$fxv#117')]",
         "[variables('$fxv#118')]",
         "[variables('$fxv#119')]",
@@ -423,56 +431,64 @@
         "[variables('$fxv#122')]",
         "[variables('$fxv#123')]",
         "[variables('$fxv#124')]",
-        "[variables('$fxv#125')]"
-      ],
-      "AzureChinaCloud": [
+        "[variables('$fxv#125')]",
         "[variables('$fxv#126')]",
         "[variables('$fxv#127')]",
         "[variables('$fxv#128')]",
         "[variables('$fxv#129')]",
         "[variables('$fxv#130')]",
-        "[variables('$fxv#131')]",
+        "[variables('$fxv#131')]"
+      ],
+      "AzureChinaCloud": [
         "[variables('$fxv#132')]",
         "[variables('$fxv#133')]",
-        "[variables('$fxv#134')]"
-      ],
-      "AzureUSGovernment": [
+        "[variables('$fxv#134')]",
         "[variables('$fxv#135')]",
         "[variables('$fxv#136')]",
-        "[variables('$fxv#137')]"
-      ]
-    },
-    "loadPolicySetDefinitions": {
-      "All": [
+        "[variables('$fxv#137')]",
         "[variables('$fxv#138')]",
         "[variables('$fxv#139')]",
-        "[variables('$fxv#140')]",
+        "[variables('$fxv#140')]"
+      ],
+      "AzureUSGovernment": [
         "[variables('$fxv#141')]",
         "[variables('$fxv#142')]",
-        "[variables('$fxv#143')]",
-        "[variables('$fxv#144')]"
-      ],
-      "AzureCloud": [
+        "[variables('$fxv#143')]"
+      ]
+    },
+    "loadPolicySetDefinitions": {
+      "All": [
+        "[variables('$fxv#144')]",
         "[variables('$fxv#145')]",
         "[variables('$fxv#146')]",
         "[variables('$fxv#147')]",
         "[variables('$fxv#148')]",
         "[variables('$fxv#149')]",
-        "[variables('$fxv#150')]"
+        "[variables('$fxv#150')]",
+        "[variables('$fxv#151')]"
       ],
-      "AzureChinaCloud": [
-        "[variables('$fxv#151')]",
+      "AzureCloud": [
         "[variables('$fxv#152')]",
         "[variables('$fxv#153')]",
         "[variables('$fxv#154')]",
-        "[variables('$fxv#155')]"
-      ],
-      "AzureUSGovernment": [
+        "[variables('$fxv#155')]",
         "[variables('$fxv#156')]",
         "[variables('$fxv#157')]",
-        "[variables('$fxv#158')]",
+        "[variables('$fxv#158')]"
+      ],
+      "AzureChinaCloud": [
         "[variables('$fxv#159')]",
-        "[variables('$fxv#160')]"
+        "[variables('$fxv#160')]",
+        "[variables('$fxv#161')]",
+        "[variables('$fxv#162')]",
+        "[variables('$fxv#163')]"
+      ],
+      "AzureUSGovernment": [
+        "[variables('$fxv#164')]",
+        "[variables('$fxv#165')]",
+        "[variables('$fxv#166')]",
+        "[variables('$fxv#167')]",
+        "[variables('$fxv#168')]"
       ]
     },
     "policyDefinitionsByCloudType": {
diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json b/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json
new file mode 100644
index 000000000..c1253b3be
--- /dev/null
+++ b/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json
@@ -0,0 +1,327 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "dataCollectionRuleName": {
+            "type": "string",
+            "metadata": {
+                "description": "Specifies the name of the data collection rule to create."
+            },
+            "defaultValue": "ama-ct-dcr"
+        },
+        "workspaceResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data."
+            }
+        },
+        "WorkspaceLocation": {
+            "type": "string",
+            "metadata": {
+                "description": "Specifies the location of the Log Analytics workspace to use to store change tracking data."
+            }
+        }
+    },
+    "variables": {
+        "subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]",
+        "resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]",
+        "workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]"
+    },
+    "resources": [
+        {
+            "type": "microsoft.resources/deployments",
+            "name": "CtDcr-Deployment",
+            "apiVersion": "2020-08-01",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "apiVersion": "2021-04-01",
+                            "name": "[parameters('dataCollectionRuleName')]",
+                            "location": "[parameters('WorkspaceLocation')]",
+                            "properties": {
+                                "description": "Data collection rule for CT.",
+                                "dataSources": {
+                                    "extensions": [
+                                        {
+                                            "streams": [
+                                                "Microsoft-ConfigurationChange",
+                                                "Microsoft-ConfigurationChangeV2",
+                                                "Microsoft-ConfigurationData"
+                                            ],
+                                            "extensionName": "ChangeTracking-Windows",
+                                            "extensionSettings": {
+                                                "enableFiles": true,
+                                                "enableSoftware": true,
+                                                "enableRegistry": true,
+                                                "enableServices": true,
+                                                "enableInventory": true,
+                                                "registrySettings": {
+                                                    "registryCollectionFrequency": 3000,
+                                                    "registryInfo": [
+                                                        {
+                                                            "name": "Registry_1",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_2",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_3",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_4",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_5",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_6",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_7",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_8",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_9",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_10",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_11",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_12",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_13",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_14",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_15",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_16",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls",
+                                                            "valueName": ""
+                                                        },
+                                                        {
+                                                            "name": "Registry_17",
+                                                            "groupTag": "Recommended",
+                                                            "enabled": false,
+                                                            "recurse": true,
+                                                            "description": "",
+                                                            "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify",
+                                                            "valueName": ""
+                                                        }
+                                                    ]
+                                                },
+                                                "fileSettings": {
+                                                    "fileCollectionFrequency": 2700
+                                                },
+                                                "softwareSettings": {
+                                                    "softwareCollectionFrequency": 1800
+                                                },
+                                                "inventorySettings": {
+                                                    "inventoryCollectionFrequency": 36000
+                                                },
+                                                "servicesSettings": {
+                                                    "serviceCollectionFrequency": 1800
+                                                }
+                                            },
+                                            "name": "CTDataSource-Windows"
+                                        },
+                                        {
+                                            "streams": [
+                                                "Microsoft-ConfigurationChange",
+                                                "Microsoft-ConfigurationChangeV2",
+                                                "Microsoft-ConfigurationData"
+                                            ],
+                                            "extensionName": "ChangeTracking-Linux",
+                                            "extensionSettings": {
+                                                "enableFiles": true,
+                                                "enableSoftware": true,
+                                                "enableRegistry": false,
+                                                "enableServices": true,
+                                                "enableInventory": true,
+                                                "fileSettings": {
+                                                    "fileCollectionFrequency": 900,
+                                                    "fileInfo": [
+                                                        {
+                                                            "name": "ChangeTrackingLinuxPath_default",
+                                                            "enabled": true,
+                                                            "destinationPath": "/etc/.*.conf",
+                                                            "useSudo": true,
+                                                            "recurse": true,
+                                                            "maxContentsReturnable": 5000000,
+                                                            "pathType": "File",
+                                                            "type": "File",
+                                                            "links": "Follow",
+                                                            "maxOutputSize": 500000,
+                                                            "groupTag": "Recommended"
+                                                        }
+                                                    ]
+                                                },
+                                                "softwareSettings": {
+                                                    "softwareCollectionFrequency": 300
+                                                },
+                                                "inventorySettings": {
+                                                    "inventoryCollectionFrequency": 36000
+                                                },
+                                                "servicesSettings": {
+                                                    "serviceCollectionFrequency": 300
+                                                }
+                                            },
+                                            "name": "CTDataSource-Linux"
+                                        }
+                                    ]
+                                },
+                                "destinations": {
+                                    "logAnalytics": [
+                                        {
+                                            "workspaceResourceId": "[parameters('workspaceResourceId')]",
+                                            "name": "Microsoft-CT-Dest"
+                                        }
+                                    ]
+                                },
+                                "dataFlows": [
+                                    {
+                                        "streams": [
+                                            "Microsoft-ConfigurationChange",
+                                            "Microsoft-ConfigurationChangeV2",
+                                            "Microsoft-ConfigurationData"
+                                        ],
+                                        "destinations": [
+                                            "Microsoft-CT-Dest"
+                                        ]
+                                    }
+                                ]
+                            }
+                        },
+                        {
+                            "type": "Microsoft.OperationsManagement/solutions",
+                            "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
+                            "location": "[parameters('WorkspaceLocation')]",
+                            "apiVersion": "2015-11-01-preview",
+                            "id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]",
+                            "properties": {
+                                "workspaceResourceId": "[parameters('workspaceResourceId')]"
+                            },
+                            "plan": {
+                                "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]",
+                                "product": "OMSGallery/ChangeTracking",
+                                "promotionCode": "",
+                                "publisher": "Microsoft"
+                            }
+                        }
+                    ]
+                }
+            },
+            "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]",
+            "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]"
+        }
+    ]
+}
diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json b/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json
new file mode 100644
index 000000000..540a801a7
--- /dev/null
+++ b/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json
@@ -0,0 +1,105 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "WorkspaceResourceId": {
+            "type": "String",
+            "metadata": {
+                "description": "Workspace Resource ID."
+            }
+        },
+        "WorkspaceLocation": {
+            "type": "String",
+            "metadata": {
+                "description": "Workspace Location."
+            }
+        },
+        "userGivenDcrName": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Name of the Data Collection Rule(DCR)",
+                "description": "This is the name of the AMA-VMI Data Collection Rule(DCR)"
+            },
+            "defaultValue": "ama-vmi-default-perfAndda-dcr"
+        },
+        "enableCollectionOfSqlQueriesForSecurityResearch": {
+            "type": "Bool",
+            "metadata": {
+                "displayName": "Enable collection of SQL queries for security research",
+                "description": "Enable collection of SQL queries for security research"
+            },
+            "defaultValue": false
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2021-04-01",
+            "name": "[parameters('userGivenDcrName')]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "apiVersion": "2021-04-01",
+                            "name": "[parameters('userGivenDcrName')]",
+                            "location": "[parameters('WorkspaceLocation')]",
+                            "properties": {
+                                "description": "Data collection rule for Defender for SQL.",
+                                "dataSources": {
+                                    "extensions": [
+                                        {
+                                            "extensionName": "MicrosoftDefenderForSQL",
+                                            "name": "MicrosoftDefenderForSQL",
+                                            "streams": [
+                                                "Microsoft-DefenderForSqlAlerts",
+                                                "Microsoft-DefenderForSqlLogins",
+                                                "Microsoft-DefenderForSqlTelemetry",
+                                                "Microsoft-DefenderForSqlScanEvents",
+                                                "Microsoft-DefenderForSqlScanResults"
+                                            ],
+                                            "extensionSettings": {
+                                                "enableCollectionOfSqlQueriesForSecurityResearch": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "destinations": {
+                                    "logAnalytics": [
+                                        {
+                                            "workspaceResourceId": "[parameters('WorkspaceResourceId')]",
+                                            "name": "LogAnalyticsDest"
+                                        }
+                                    ]
+                                },
+                                "dataFlows": [
+                                    {
+                                        "streams": [
+                                            "Microsoft-DefenderForSqlAlerts",
+                                            "Microsoft-DefenderForSqlLogins",
+                                            "Microsoft-DefenderForSqlTelemetry",
+                                            "Microsoft-DefenderForSqlScanEvents",
+                                            "Microsoft-DefenderForSqlScanResults"
+                                        ],
+                                        "destinations": [
+                                            "LogAnalyticsDest"
+                                        ]
+                                    }
+                                ]
+                            }
+                        }
+                    ]
+                }
+            },
+            "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]",
+            "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]"
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json b/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json
new file mode 100644
index 000000000..091c6c67e
--- /dev/null
+++ b/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json
@@ -0,0 +1,108 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "WorkspaceResourceId": {
+            "type": "String",
+            "metadata": {
+                "description": "Workspace Resource ID."
+            }
+        },
+        "WorkspaceLocation": {
+            "type": "String",
+            "metadata": {
+                "description": "Workspace Location."
+            }
+        },
+        "userGivenDcrName": {
+            "type": "String",
+            "metadata": {
+              "displayName": "Name of the Data Collection Rule(DCR)",
+              "description": "This is the name of the AMA-VMI Data Collection Rule(DCR)"
+            },
+            "defaultValue": "ama-vmi-default-perfAndda-dcr"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2021-04-01",
+            "name": "[parameters('userGivenDcrName')]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "apiVersion": "2021-04-01",
+                            "name": "[parameters('userGivenDcrName')]",
+                            "location": "[parameters('WorkspaceLocation')]",
+                            "properties": {
+                                "description": "Data collection rule for VM Insights.",
+                                "dataSources": {
+                                    "performanceCounters": [
+                                        {
+                                            "name": "VMInsightsPerfCounters",
+                                            "streams": [
+                                                "Microsoft-InsightsMetrics"
+                                            ],
+                                            "scheduledTransferPeriod": "PT1M",
+                                            "samplingFrequencyInSeconds": 60,
+                                            "counterSpecifiers": [
+                                                "\\VmInsights\\DetailedMetrics"
+                                            ]
+                                        }
+                                    ],
+                                    "extensions": [
+                                        {
+                                            "streams": [
+                                                "Microsoft-ServiceMap"
+                                            ],
+                                            "extensionName": "DependencyAgent",
+                                            "extensionSettings": {},
+                                            "name": "DependencyAgentDataSource"
+                                        }
+                                    ]
+                                },
+                                "destinations": {
+                                    "logAnalytics": [
+                                        {
+                                            "workspaceResourceId": "[parameters('WorkspaceResourceId')]",
+                                            "name": "VMInsightsPerf-Logs-Dest"
+                                        }
+                                    ]
+                                },
+                                "dataFlows": [
+                                    {
+                                        "streams": [
+                                            "Microsoft-InsightsMetrics"
+                                        ],
+                                        "destinations": [
+                                            "VMInsightsPerf-Logs-Dest"
+                                        ]
+                                    },
+                                    {
+                                        "streams": [
+                                            "Microsoft-ServiceMap"
+                                        ],
+                                        "destinations": [
+                                            "VMInsightsPerf-Logs-Dest"
+                                        ]
+                                    }
+                                ]
+                            }
+                        }
+                    ]
+                }
+            },
+            "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]",
+            "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]"
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/resourceGroupTemplates/dataCollectionRule.json b/eslzArm/resourceGroupTemplates/dataCollectionRule.json
new file mode 100644
index 000000000..091c6c67e
--- /dev/null
+++ b/eslzArm/resourceGroupTemplates/dataCollectionRule.json
@@ -0,0 +1,108 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "WorkspaceResourceId": {
+            "type": "String",
+            "metadata": {
+                "description": "Workspace Resource ID."
+            }
+        },
+        "WorkspaceLocation": {
+            "type": "String",
+            "metadata": {
+                "description": "Workspace Location."
+            }
+        },
+        "userGivenDcrName": {
+            "type": "String",
+            "metadata": {
+              "displayName": "Name of the Data Collection Rule(DCR)",
+              "description": "This is the name of the AMA-VMI Data Collection Rule(DCR)"
+            },
+            "defaultValue": "ama-vmi-default-perfAndda-dcr"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2021-04-01",
+            "name": "[parameters('userGivenDcrName')]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "apiVersion": "2021-04-01",
+                            "name": "[parameters('userGivenDcrName')]",
+                            "location": "[parameters('WorkspaceLocation')]",
+                            "properties": {
+                                "description": "Data collection rule for VM Insights.",
+                                "dataSources": {
+                                    "performanceCounters": [
+                                        {
+                                            "name": "VMInsightsPerfCounters",
+                                            "streams": [
+                                                "Microsoft-InsightsMetrics"
+                                            ],
+                                            "scheduledTransferPeriod": "PT1M",
+                                            "samplingFrequencyInSeconds": 60,
+                                            "counterSpecifiers": [
+                                                "\\VmInsights\\DetailedMetrics"
+                                            ]
+                                        }
+                                    ],
+                                    "extensions": [
+                                        {
+                                            "streams": [
+                                                "Microsoft-ServiceMap"
+                                            ],
+                                            "extensionName": "DependencyAgent",
+                                            "extensionSettings": {},
+                                            "name": "DependencyAgentDataSource"
+                                        }
+                                    ]
+                                },
+                                "destinations": {
+                                    "logAnalytics": [
+                                        {
+                                            "workspaceResourceId": "[parameters('WorkspaceResourceId')]",
+                                            "name": "VMInsightsPerf-Logs-Dest"
+                                        }
+                                    ]
+                                },
+                                "dataFlows": [
+                                    {
+                                        "streams": [
+                                            "Microsoft-InsightsMetrics"
+                                        ],
+                                        "destinations": [
+                                            "VMInsightsPerf-Logs-Dest"
+                                        ]
+                                    },
+                                    {
+                                        "streams": [
+                                            "Microsoft-ServiceMap"
+                                        ],
+                                        "destinations": [
+                                            "VMInsightsPerf-Logs-Dest"
+                                        ]
+                                    }
+                                ]
+                            }
+                        }
+                    ]
+                }
+            },
+            "subscriptionId": "[split(parameters('WorkspaceResourceId'),'/')[2]]",
+            "resourceGroup": "[split(parameters('WorkspaceResourceId'),'/')[4]]"
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/resourceGroupTemplates/userAssignedIdentity.json b/eslzArm/resourceGroupTemplates/userAssignedIdentity.json
new file mode 100644
index 000000000..e99377864
--- /dev/null
+++ b/eslzArm/resourceGroupTemplates/userAssignedIdentity.json
@@ -0,0 +1,53 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "location": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().location]",
+            "metadata": {
+                "description": "location for the the resources to deploy."
+            }
+        },
+        "userAssignedIdentityName": {
+            "type": "string",
+            "defaultValue": "contoso-vmi-identity",
+            "metadata": {
+                "description": "The name of the Managed Identity resource."
+            }
+        },
+        "userAssignedIdentityResourceGroup": {
+            "type": "String",
+            "metadata": {
+                "description": "The name of the resource group where the Managed Identity resource will be created."
+            }
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2021-04-01",
+            "name": "[parameters('userAssignedIdentityName')]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+                            "name": "[parameters('userAssignedIdentityName')]",
+                            "apiVersion": "2018-11-30",
+                            "location": "[parameters('location')]"
+                        }
+                    ]
+                }
+            },
+            "resourceGroup": "[parameters('userAssignedIdentityResourceGroup')]"
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json
index 7587d5903..7e13eb920 100644
--- a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json
+++ b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json
@@ -31,7 +31,7 @@
             "metadata": {
                 "description": "Select whether security solutions should be enabled or not."
             }
-        },
+        }/*,
         "enableAgentHealth": {
             "type": "string",
             "allowedValues": [
@@ -108,12 +108,12 @@
             "metadata": {
                 "description": "Select whether SQL advanced threat protection solution should be enabled or not."
             }
-        }
+        }*/
     },
     "variables": {
         "laResourceId": "[toLower(concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')))]",
         "solutions": {
-            "security": {
+            /*"security": {
                 "name": "[concat('Security', '(', parameters('workspaceName'), ')')]",
                 "marketplaceName": "Security"
             },
@@ -144,7 +144,7 @@
             "vmInsights": {
                 "name": "[concat('VMInsights', '(', parameters('workspaceName'), ')')]",
                 "marketplaceName": "VMInsights"
-            },
+            },*/
             "securityInsights": {
                 "name": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]",
                 "marketplaceName": "SecurityInsights"
@@ -165,7 +165,7 @@
                     "parameters": {},
                     "variables": {},
                     "resources": [
-                        {
+                        /*{
                             // Conditionally deploy solution for agent health
                             "condition": "[equals(parameters('enableAgentHealth'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -181,8 +181,8 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
-                        {
+                        },*/
+                        /*{
                             // Conditionally deploy solution for change tracking
                             "condition": "[equals(parameters('enableChangeTracking'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -198,8 +198,8 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
-                        {
+                        },*/
+                        /*{
                             // Conditionally deploy solution for vm insights
                             "condition": "[equals(parameters('enableVmInsights'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -215,8 +215,8 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
-                        {
+                        },*/
+                        /*{
                             // Conditionally deploy solution for security
                             "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -232,7 +232,7 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
+                        },*/
                         {
                             // Conditionally deploy solution for sentinel
                             "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]",
@@ -252,7 +252,7 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
+                        }/*,
                         {
                             // Conditionally deploy solution for SQL assessment
                             "condition": "[equals(parameters('enableSqlAssessment'), 'Yes')]",
@@ -269,8 +269,8 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
-                        {
+                        },*/
+                        /*{
                             // Conditionally deploy solution for SQL advanced threat protection
                             "condition": "[equals(parameters('enableSqlAdvancedThreatProtection'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -286,8 +286,8 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
-                        {
+                        },*/
+                        /*{
                             // Conditionally deploy solution for SQL vulnerability protection
                             "condition": "[equals(parameters('enableSqlVulnerabilityAssessment'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -303,8 +303,8 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        },
-                        {
+                        },*/
+                        /*{
                             // Conditionally deploy solution for update management
                             "condition": "[equals(parameters('enableUpdateMgmt'), 'Yes')]",
                             "apiVersion": "2015-11-01-preview",
@@ -320,7 +320,7 @@
                                 "promotionCode": "",
                                 "publisher": "Microsoft"
                             }
-                        }
+                        }*/
                     ]
                 }
             }
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json
index ec621723f..f91ed51b2 100644
--- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json
@@ -6,12 +6,13 @@
   "properties": {
     "policyType": "Custom",
     "mode": "Indexed",
-    "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace",
-    "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
+    "displayName": "[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace",
+    "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.1.0-deprecated",
       "category": "Monitoring",
       "source": "https://github.com/Azure/Enterprise-Scale/",
+      "deprecated": true,
       "alzCloudEnvironments": [
         "AzureCloud",
         "AzureChinaCloud",
@@ -190,4 +191,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json
new file mode 100644
index 000000000..e93e79ce5
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json
@@ -0,0 +1,200 @@
+{
+  "name": "Deploy-MDFC-Arc-SQL-DCR-Association",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR",
+    "description": "Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
+      "workspaceRegion": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace region",
+          "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "location"
+        }
+      },
+      "dcrName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Name",
+          "description": "Name of the Data Collection Rule."
+        }
+      },
+      "dcrResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Resource Group",
+          "description": "Resource Group of the Data Collection Rule."
+        }
+      },
+      "dcrId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Id",
+          "description": "Id of the Data Collection Rule."
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.HybridCompute/machines"
+          },
+          {
+            "field": "Microsoft.HybridCompute/machines/osName",
+            "equals": "Windows"
+          },
+          {
+            "field": "Microsoft.HybridCompute/machines/mssqlDiscovered",
+            "equals": "true"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Insights/dataCollectionRuleAssociations",
+          "name": "MicrosoftDefenderForSQL-RulesAssociation",
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+          ],
+          "deployment": {
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "resourceGroup": {
+                    "type": "string"
+                  },
+                  "vmName": {
+                    "type": "string"
+                  },
+                  "workspaceRegion": {
+                    "type": "string"
+                  },
+                  "dcrName": {
+                    "type": "string"
+                  },
+                  "dcrResourceGroup": {
+                    "type": "string"
+                  },
+                  "dcrId": {
+                    "type": "string"
+                  }
+                },
+                "variables": {
+                  "locationLongNameToShortMap": {
+                    "australiacentral": "CAU",
+                    "australiaeast": "EAU",
+                    "australiasoutheast": "SEAU",
+                    "brazilsouth": "CQ",
+                    "canadacentral": "CCA",
+                    "canadaeast": "CCA",
+                    "centralindia": "CIN",
+                    "centralus": "CUS",
+                    "eastasia": "EA",
+                    "eastus2euap": "eus2p",
+                    "eastus": "EUS",
+                    "eastus2": "EUS2",
+                    "francecentral": "PAR",
+                    "germanywestcentral": "DEWC",
+                    "japaneast": "EJP",
+                    "jioindiawest": "CIN",
+                    "koreacentral": "SE",
+                    "koreasouth": "SE",
+                    "northcentralus": "NCUS",
+                    "northeurope": "NEU",
+                    "norwayeast": "NOE",
+                    "southafricanorth": "JNB",
+                    "southcentralus": "SCUS",
+                    "southeastasia": "SEA",
+                    "southindia": "CIN",
+                    "swedencentral": "SEC",
+                    "switzerlandnorth": "CHN",
+                    "switzerlandwest": "CHW",
+                    "uaenorth": "DXB",
+                    "uksouth": "SUK",
+                    "ukwest": "WUK",
+                    "westcentralus": "WCUS",
+                    "westeurope": "WEU",
+                    "westindia": "CIN",
+                    "westus": "WUS",
+                    "westus2": "WUS2"
+                  },
+                  "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]",
+                  "subscriptionId": "[[subscription().subscriptionId]",
+                  "defaultRGName": "[[parameters('resourceGroup')]",
+                  "dcrName": "[[parameters('dcrName')]",
+                  "dcrId": "[[parameters('dcrId')]",
+                  "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]"
+                },
+                "resources": [
+                  {
+                    "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations",
+                    "name": "[[variables('dcraName')]",
+                    "apiVersion": "2021-04-01",
+                    "properties": {
+                      "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.",
+                      "dataCollectionRuleId": "[[variables('dcrId')]"
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "resourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "vmName": {
+                  "value": "[[field('name')]"
+                },
+                "workspaceRegion": {
+                  "value": "[[parameters('workspaceRegion')]"
+                },
+                "dcrName": {
+                  "value": "[[parameters('dcrName')]"
+                },
+                "dcrResourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "dcrId": {
+                  "value": "[[parameters('dcrId')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json
new file mode 100644
index 000000000..a475af741
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json
@@ -0,0 +1,404 @@
+{
+  "name": "Deploy-MDFC-Arc-Sql-DefenderSQL-DCR",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace",
+    "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
+      "userWorkspaceResourceId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace Resource Id",
+          "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "omsWorkspace"
+        }
+      },
+      "workspaceRegion": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace region",
+          "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "location"
+        }
+      },
+      "enableCollectionOfSqlQueriesForSecurityResearch": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Enable collection of SQL queries for security research",
+          "description": "Enable or disable the collection of SQL queries for security research."
+        },
+        "allowedValues": [
+          true,
+          false
+        ],
+        "defaultValue": false
+      },
+      "dcrName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Name",
+          "description": "Name of the Data Collection Rule."
+        }
+      },
+      "dcrResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Resource Group",
+          "description": "Resource Group of the Data Collection Rule."
+        }
+      },
+      "dcrId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Id",
+          "description": "Id of the Data Collection Rule."
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.HybridCompute/machines"
+          },
+          {
+            "field": "Microsoft.HybridCompute/machines/osName",
+            "equals": "Windows"
+          },
+          {
+            "field": "Microsoft.HybridCompute/machines/mssqlDiscovered",
+            "equals": "true"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Insights/dataCollectionRules",
+          "deploymentScope": "subscription",
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+          ],
+          "existenceScope": "subscription",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "location",
+                "equals": "[[parameters('workspaceRegion')]"
+              },
+              {
+                "field": "name",
+                "equals": "[[parameters('dcrName')]"
+              }
+            ]
+          },
+          "deployment": {
+            "location": "eastus",
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "resourceGroup": {
+                    "type": "string"
+                  },
+                  "vmName": {
+                    "type": "string"
+                  },
+                  "userWorkspaceResourceId": {
+                    "type": "string"
+                  },
+                  "workspaceRegion": {
+                    "type": "string"
+                  },
+                  "enableCollectionOfSqlQueriesForSecurityResearch": {
+                    "type": "bool"
+                  },
+                  "dcrName": {
+                    "type": "string"
+                  },
+                  "dcrResourceGroup": {
+                    "type": "string"
+                  },
+                  "dcrId": {
+                    "type": "string"
+                  }
+                },
+                "variables": {
+                  "locationLongNameToShortMap": {
+                    "australiacentral": "CAU",
+                    "australiaeast": "EAU",
+                    "australiasoutheast": "SEAU",
+                    "brazilsouth": "CQ",
+                    "canadacentral": "CCA",
+                    "canadaeast": "CCA",
+                    "centralindia": "CIN",
+                    "centralus": "CUS",
+                    "eastasia": "EA",
+                    "eastus2euap": "eus2p",
+                    "eastus": "EUS",
+                    "eastus2": "EUS2",
+                    "francecentral": "PAR",
+                    "germanywestcentral": "DEWC",
+                    "japaneast": "EJP",
+                    "jioindiawest": "CIN",
+                    "koreacentral": "SE",
+                    "koreasouth": "SE",
+                    "northcentralus": "NCUS",
+                    "northeurope": "NEU",
+                    "norwayeast": "NOE",
+                    "southafricanorth": "JNB",
+                    "southcentralus": "SCUS",
+                    "southeastasia": "SEA",
+                    "southindia": "CIN",
+                    "swedencentral": "SEC",
+                    "switzerlandnorth": "CHN",
+                    "switzerlandwest": "CHW",
+                    "uaenorth": "DXB",
+                    "uksouth": "SUK",
+                    "ukwest": "WUK",
+                    "westcentralus": "WCUS",
+                    "westeurope": "WEU",
+                    "westindia": "CIN",
+                    "westus": "WUS",
+                    "westus2": "WUS2"
+                  },
+                  "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]",
+                  "subscriptionId": "[[subscription().subscriptionId]",
+                  "defaultRGName": "[[parameters('resourceGroup')]",
+                  "defaultRGLocation": "[[parameters('workspaceRegion')]",
+                  "dcrName": "[[parameters('dcrName')]",
+                  "dcrId": "[[parameters('dcrId')]",
+                  "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]",
+                  "deployDataCollectionRules": "[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]",
+                  "deployDataCollectionRulesAssociation": "[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]"
+                },
+                "resources": [
+                  {
+                    "condition": "[[empty(parameters('dcrResourceGroup'))]",
+                    "type": "Microsoft.Resources/resourceGroups",
+                    "name": "[[variables('defaultRGName')]",
+                    "apiVersion": "2022-09-01",
+                    "location": "[[variables('defaultRGLocation')]",
+                    "tags": {
+                      "createdBy": "MicrosoftDefenderForSQL"
+                    }
+                  },
+                  {
+                    "condition": "[[empty(parameters('dcrId'))]",
+                    "type": "Microsoft.Resources/deployments",
+                    "name": "[[variables('deployDataCollectionRules')]",
+                    "apiVersion": "2022-09-01",
+                    "resourceGroup": "[[variables('defaultRGName')]",
+                    "dependsOn": [
+                      "[[variables('defaultRGName')]"
+                    ],
+                    "properties": {
+                      "mode": "Incremental",
+                      "expressionEvaluationOptions": {
+                        "scope": "inner"
+                      },
+                      "parameters": {
+                        "defaultRGLocation": {
+                          "value": "[[variables('defaultRGLocation')]"
+                        },
+                        "workspaceResourceId": {
+                          "value": "[[parameters('userWorkspaceResourceId')]"
+                        },
+                        "dcrName": {
+                          "value": "[[variables('dcrName')]"
+                        },
+                        "dcrId": {
+                          "value": "[[variables('dcrId')]"
+                        },
+                        "enableCollectionOfSqlQueriesForSecurityResearch": {
+                          "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                        }
+                      },
+                      "template": {
+                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                        "contentVersion": "1.0.0.0",
+                        "parameters": {
+                          "defaultRGLocation": {
+                            "type": "string"
+                          },
+                          "workspaceResourceId": {
+                            "type": "string"
+                          },
+                          "dcrName": {
+                            "type": "string"
+                          },
+                          "dcrId": {
+                            "type": "string"
+                          },
+                          "enableCollectionOfSqlQueriesForSecurityResearch": {
+                            "type": "bool"
+                          }
+                        },
+                        "variables": {},
+                        "resources": [
+                          {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "name": "[[parameters('dcrName')]",
+                            "apiVersion": "2021-04-01",
+                            "location": "[[parameters('defaultRGLocation')]",
+                            "tags": {
+                              "createdBy": "MicrosoftDefenderForSQL"
+                            },
+                            "properties": {
+                              "description": "Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.",
+                              "dataSources": {
+                                "extensions": [
+                                  {
+                                    "extensionName": "MicrosoftDefenderForSQL",
+                                    "name": "MicrosoftDefenderForSQL",
+                                    "streams": [
+                                      "Microsoft-DefenderForSqlAlerts",
+                                      "Microsoft-DefenderForSqlLogins",
+                                      "Microsoft-DefenderForSqlTelemetry",
+                                      "Microsoft-DefenderForSqlScanEvents",
+                                      "Microsoft-DefenderForSqlScanResults"
+                                    ],
+                                    "extensionSettings": {
+                                      "enableCollectionOfSqlQueriesForSecurityResearch": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                                    }
+                                  }
+                                ]
+                              },
+                              "destinations": {
+                                "logAnalytics": [
+                                  {
+                                    "workspaceResourceId": "[[parameters('workspaceResourceId')]",
+                                    "name": "LogAnalyticsDest"
+                                  }
+                                ]
+                              },
+                              "dataFlows": [
+                                {
+                                  "streams": [
+                                    "Microsoft-DefenderForSqlAlerts",
+                                    "Microsoft-DefenderForSqlLogins",
+                                    "Microsoft-DefenderForSqlTelemetry",
+                                    "Microsoft-DefenderForSqlScanEvents",
+                                    "Microsoft-DefenderForSqlScanResults"
+                                  ],
+                                  "destinations": [
+                                    "LogAnalyticsDest"
+                                  ]
+                                }
+                              ]
+                            }
+                          }
+                        ]
+                      }
+                    }
+                  },
+                  {
+                    "type": "Microsoft.Resources/deployments",
+                    "name": "[[variables('deployDataCollectionRulesAssociation')]",
+                    "apiVersion": "2022-09-01",
+                    "resourceGroup": "[[parameters('resourceGroup')]",
+                    "dependsOn": [
+                      "[[variables('deployDataCollectionRules')]"
+                    ],
+                    "properties": {
+                      "mode": "Incremental",
+                      "expressionEvaluationOptions": {
+                        "scope": "inner"
+                      },
+                      "parameters": {
+                        "dcrId": {
+                          "value": "[[variables('dcrId')]"
+                        },
+                        "dcraName": {
+                          "value": "[[variables('dcraName')]"
+                        }
+                      },
+                      "template": {
+                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                        "contentVersion": "1.0.0.0",
+                        "parameters": {
+                          "dcrId": {
+                            "type": "string"
+                          },
+                          "dcraName": {
+                            "type": "string"
+                          }
+                        },
+                        "resources": [
+                          {
+                            "type": "Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations",
+                            "name": "[[parameters('dcraName')]",
+                            "apiVersion": "2021-04-01",
+                            "properties": {
+                              "description": "Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.",
+                              "dataCollectionRuleId": "[[parameters('dcrId')]"
+                            }
+                          }
+                        ]
+                      }
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "resourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "vmName": {
+                  "value": "[[field('name')]"
+                },
+                "userWorkspaceResourceId": {
+                  "value": "[[parameters('userWorkspaceResourceId')]"
+                },
+                "workspaceRegion": {
+                  "value": "[[parameters('workspaceRegion')]"
+                },
+                "enableCollectionOfSqlQueriesForSecurityResearch": {
+                  "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                },
+                "dcrName": {
+                  "value": "[[parameters('dcrName')]"
+                },
+                "dcrResourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "dcrId": {
+                  "value": "[[parameters('dcrId')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json
new file mode 100644
index 000000000..a2c265c37
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json
@@ -0,0 +1,175 @@
+{
+  "name": "Deploy-MDFC-SQL-AMA",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "Configure SQL Virtual Machines to automatically install Azure Monitor Agent",
+    "description": "Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
+      "identityResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Identity Resource Group",
+          "description": "The name of the resource group created by the policy."
+        },
+        "defaultValue": ""
+      },
+      "userAssignedIdentityName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "User Assigned Managed Identity Name",
+          "description": "The name of the user assigned managed identity."
+        },
+        "defaultValue": ""
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Compute/virtualMachines"
+          },
+          {
+            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
+            "like": "Windows*"
+          },
+          {
+            "field": "Microsoft.Compute/imagePublisher",
+            "equals": "microsoftsqlserver"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Compute/virtualMachines/extensions",
+          "evaluationDelay": "AfterProvisioning",
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
+          ],
+          "name": "[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "Microsoft.Compute/virtualMachines/extensions/type",
+                "equals": "AzureMonitorWindowsAgent"
+              },
+              {
+                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
+                "equals": "Microsoft.Azure.Monitor"
+              },
+              {
+                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
+                "in": [
+                  "Succeeded",
+                  "Provisioning succeeded"
+                ]
+              }
+            ]
+          },
+          "deployment": {
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "vmName": {
+                    "type": "string"
+                  },
+                  "location": {
+                    "type": "string"
+                  },
+                  "userAssignedManagedIdentity": {
+                    "type": "string"
+                  },
+                  "userAssignedIdentityName": {
+                    "type": "string"
+                  },
+                  "identityResourceGroup": {
+                    "type": "string"
+                  }
+                },
+                "variables": {
+                  "extensionName": "AzureMonitorWindowsAgent",
+                  "extensionPublisher": "Microsoft.Azure.Monitor",
+                  "extensionType": "AzureMonitorWindowsAgent",
+                  "extensionTypeHandlerVersion": "1.2"
+                },
+                "resources": [
+                  {
+                    "name": "[[concat(parameters('vmName'), '/', variables('extensionName'))]",
+                    "type": "Microsoft.Compute/virtualMachines/extensions",
+                    "location": "[[parameters('location')]",
+                    "tags": {
+                      "createdBy": "MicrosoftDefenderForSQL"
+                    },
+                    "apiVersion": "2023-03-01",
+                    "properties": {
+                      "publisher": "[[variables('extensionPublisher')]",
+                      "type": "[[variables('extensionType')]",
+                      "typeHandlerVersion": "[[variables('extensionTypeHandlerVersion')]",
+                      "autoUpgradeMinorVersion": true,
+                      "enableAutomaticUpgrade": true,
+                      "settings": {
+                        "authentication": {
+                          "managedIdentity": {
+                            "identifier-name": "mi_res_id",
+                            "identifier-value": "[[parameters('userAssignedManagedIdentity')]"
+                          }
+                        }
+                      }
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "vmName": {
+                  "value": "[[field('name')]"
+                },
+                "location": {
+                  "value": "[[field('location')]"
+                },
+                "userAssignedManagedIdentity": {
+                  "value": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]"
+                },
+                "userAssignedIdentityName": {
+                  "value": "[[parameters('userAssignedIdentityName')]"
+                },
+                "identityResourceGroup": {
+                  "value": "[[parameters('identityResourceGroup')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json
new file mode 100644
index 000000000..d57946024
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json
@@ -0,0 +1,463 @@
+{
+  "name": "Deploy-MDFC-SQL-DefenderSQL-DCR",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace",
+    "description": "Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
+      "userWorkspaceResourceId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace Resource Id",
+          "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "omsWorkspace"
+        }
+      },
+      "workspaceRegion": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace region",
+          "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "location"
+        }
+      },
+      "enableCollectionOfSqlQueriesForSecurityResearch": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Enable collection of SQL queries for security research",
+          "description": "Enable or disable the collection of SQL queries for security research."
+        },
+        "allowedValues": [
+          true,
+          false
+        ],
+        "defaultValue": false
+      },
+      "dcrName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Name",
+          "description": "Name of the Data Collection Rule."
+        }
+      },
+      "dcrResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Resource Group",
+          "description": "Resource Group of the Data Collection Rule."
+        }
+      },
+      "dcrId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Id",
+          "description": "Id of the Data Collection Rule."
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Compute/virtualMachines"
+          },
+          {
+            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
+            "like": "Windows*"
+          },
+          {
+            "field": "Microsoft.Compute/imagePublisher",
+            "equals": "microsoftsqlserver"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Insights/dataCollectionRules",
+          "evaluationDelay": "AfterProvisioning",
+          "deploymentScope": "subscription",
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+          ],
+          "existenceScope": "subscription",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "location",
+                "equals": "[[parameters('workspaceRegion')]"
+              },
+              {
+                "field": "name",
+                "equals": "[[parameters('dcrName')]"
+              }
+            ]
+          },
+          "deployment": {
+            "location": "eastus",
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "resourceGroup": {
+                    "type": "string"
+                  },
+                  "location": {
+                    "type": "string"
+                  },
+                  "vmName": {
+                    "type": "string"
+                  },
+                  "userWorkspaceResourceId": {
+                    "type": "string"
+                  },
+                  "workspaceRegion": {
+                    "type": "string"
+                  },
+                  "enableCollectionOfSqlQueriesForSecurityResearch": {
+                    "type": "bool"
+                  },
+                  "dcrName": {
+                    "type": "string"
+                  },
+                  "dcrResourceGroup": {
+                    "type": "string"
+                  },
+                  "dcrId": {
+                    "type": "string"
+                  }
+                },
+                "variables": {
+                  "locationLongNameToShortMap": {
+                    "australiacentral": "CAU",
+                    "australiaeast": "EAU",
+                    "australiasoutheast": "SEAU",
+                    "brazilsouth": "CQ",
+                    "canadacentral": "CCA",
+                    "canadaeast": "CCA",
+                    "centralindia": "CIN",
+                    "centralus": "CUS",
+                    "eastasia": "EA",
+                    "eastus2euap": "eus2p",
+                    "eastus": "EUS",
+                    "eastus2": "EUS2",
+                    "francecentral": "PAR",
+                    "germanywestcentral": "DEWC",
+                    "japaneast": "EJP",
+                    "jioindiawest": "CIN",
+                    "koreacentral": "SE",
+                    "koreasouth": "SE",
+                    "northcentralus": "NCUS",
+                    "northeurope": "NEU",
+                    "norwayeast": "NOE",
+                    "southafricanorth": "JNB",
+                    "southcentralus": "SCUS",
+                    "southeastasia": "SEA",
+                    "southindia": "CIN",
+                    "swedencentral": "SEC",
+                    "switzerlandnorth": "CHN",
+                    "switzerlandwest": "CHW",
+                    "uaenorth": "DXB",
+                    "uksouth": "SUK",
+                    "ukwest": "WUK",
+                    "westcentralus": "WCUS",
+                    "westeurope": "WEU",
+                    "westindia": "CIN",
+                    "westus": "WUS",
+                    "westus2": "WUS2"
+                  },
+                  "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]",
+                  "subscriptionId": "[[subscription().subscriptionId]",
+                  "defaultRGName": "[[parameters('dcrResourceGroup')]",
+                  "defaultRGLocation": "[[parameters('workspaceRegion')]",
+                  "dcrName": "[[parameters('dcrName')]",
+                  "dcrId": "[[parameters('dcrId')]",
+                  "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]",
+                  "deployDataCollectionRules": "[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]",
+                  "deployDataCollectionRulesAssociation": "[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]",
+                  "deployDefenderForSQL": "[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]"
+                },
+                "resources": [
+                  {
+                    "condition": "[[empty(parameters('dcrResourceGroup'))]",
+                    "type": "Microsoft.Resources/resourceGroups",
+                    "name": "[[variables('defaultRGName')]",
+                    "apiVersion": "2022-09-01",
+                    "location": "[[variables('defaultRGLocation')]",
+                    "tags": {
+                      "createdBy": "MicrosoftDefenderForSQL"
+                    }
+                  },
+                  {
+                    "type": "Microsoft.Resources/deployments",
+                    "name": "[[variables('deployDefenderForSQL')]",
+                    "apiVersion": "2022-09-01",
+                    "resourceGroup": "[[parameters('resourceGroup')]",
+                    "properties": {
+                      "mode": "Incremental",
+                      "expressionEvaluationOptions": {
+                        "scope": "inner"
+                      },
+                      "parameters": {
+                        "location": {
+                          "value": "[[parameters('location')]"
+                        },
+                        "vmName": {
+                          "value": "[[parameters('vmName')]"
+                        }
+                      },
+                      "template": {
+                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                        "contentVersion": "1.0.0.0",
+                        "parameters": {
+                          "location": {
+                            "type": "string"
+                          },
+                          "vmName": {
+                            "type": "string"
+                          }
+                        },
+                        "variables": {},
+                        "resources": [
+                          {
+                            "type": "Microsoft.Compute/virtualMachines/extensions",
+                            "name": "[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]",
+                            "apiVersion": "2023-03-01",
+                            "location": "[[parameters('location')]",
+                            "tags": {
+                              "createdBy": "MicrosoftDefenderForSQL"
+                            },
+                            "properties": {
+                              "publisher": "Microsoft.Azure.AzureDefenderForSQL",
+                              "type": "AdvancedThreatProtection.Windows",
+                              "typeHandlerVersion": "2.0",
+                              "autoUpgradeMinorVersion": true,
+                              "enableAutomaticUpgrade": true
+                            }
+                          }
+                        ]
+                      }
+                    }
+                  },
+                  {
+                    "condition": "[[empty(parameters('dcrId'))]",
+                    "type": "Microsoft.Resources/deployments",
+                    "name": "[[variables('deployDataCollectionRules')]",
+                    "apiVersion": "2022-09-01",
+                    "resourceGroup": "[[variables('defaultRGName')]",
+                    "dependsOn": [
+                      "[[variables('defaultRGName')]"
+                    ],
+                    "properties": {
+                      "mode": "Incremental",
+                      "expressionEvaluationOptions": {
+                        "scope": "inner"
+                      },
+                      "parameters": {
+                        "defaultRGLocation": {
+                          "value": "[[variables('defaultRGLocation')]"
+                        },
+                        "workspaceResourceId": {
+                          "value": "[[parameters('userWorkspaceResourceId')]"
+                        },
+                        "dcrName": {
+                          "value": "[[variables('dcrName')]"
+                        },
+                        "dcrId": {
+                          "value": "[[variables('dcrId')]"
+                        },
+                        "enableCollectionOfSqlQueriesForSecurityResearch": {
+                          "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                        }
+                      },
+                      "template": {
+                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                        "contentVersion": "1.0.0.0",
+                        "parameters": {
+                          "defaultRGLocation": {
+                            "type": "string"
+                          },
+                          "workspaceResourceId": {
+                            "type": "string"
+                          },
+                          "dcrName": {
+                            "type": "string"
+                          },
+                          "dcrId": {
+                            "type": "string"
+                          },
+                          "enableCollectionOfSqlQueriesForSecurityResearch": {
+                            "type": "bool"
+                          }
+                        },
+                        "variables": {},
+                        "resources": [
+                          {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "name": "[[parameters('dcrName')]",
+                            "apiVersion": "2021-04-01",
+                            "location": "[[parameters('defaultRGLocation')]",
+                            "tags": {
+                              "createdBy": "MicrosoftDefenderForSQL"
+                            },
+                            "properties": {
+                              "description": "Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.",
+                              "dataSources": {
+                                "extensions": [
+                                  {
+                                    "extensionName": "MicrosoftDefenderForSQL",
+                                    "name": "MicrosoftDefenderForSQL",
+                                    "streams": [
+                                      "Microsoft-DefenderForSqlAlerts",
+                                      "Microsoft-DefenderForSqlLogins",
+                                      "Microsoft-DefenderForSqlTelemetry",
+                                      "Microsoft-DefenderForSqlScanEvents",
+                                      "Microsoft-DefenderForSqlScanResults"
+                                    ],
+                                    "extensionSettings": {
+                                      "enableCollectionOfSqlQueriesForSecurityResearch": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                                    }
+                                  }
+                                ]
+                              },
+                              "destinations": {
+                                "logAnalytics": [
+                                  {
+                                    "workspaceResourceId": "[[parameters('workspaceResourceId')]",
+                                    "name": "LogAnalyticsDest"
+                                  }
+                                ]
+                              },
+                              "dataFlows": [
+                                {
+                                  "streams": [
+                                    "Microsoft-DefenderForSqlAlerts",
+                                    "Microsoft-DefenderForSqlLogins",
+                                    "Microsoft-DefenderForSqlTelemetry",
+                                    "Microsoft-DefenderForSqlScanEvents",
+                                    "Microsoft-DefenderForSqlScanResults"
+                                  ],
+                                  "destinations": [
+                                    "LogAnalyticsDest"
+                                  ]
+                                }
+                              ]
+                            }
+                          }
+                        ]
+                      }
+                    }
+                  },
+                  {
+                    "type": "Microsoft.Resources/deployments",
+                    "name": "[[variables('deployDataCollectionRulesAssociation')]",
+                    "apiVersion": "2022-09-01",
+                    "resourceGroup": "[[parameters('resourceGroup')]",
+                    "dependsOn": [
+                      "[[variables('deployDataCollectionRules')]"
+                    ],
+                    "properties": {
+                      "mode": "Incremental",
+                      "expressionEvaluationOptions": {
+                        "scope": "inner"
+                      },
+                      "parameters": {
+                        "dcrId": {
+                          "value": "[[variables('dcrId')]"
+                        },
+                        "dcraName": {
+                          "value": "[[variables('dcraName')]"
+                        }
+                      },
+                      "template": {
+                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                        "contentVersion": "1.0.0.0",
+                        "parameters": {
+                          "dcrId": {
+                            "type": "string"
+                          },
+                          "dcraName": {
+                            "type": "string"
+                          }
+                        },
+                        "resources": [
+                          {
+                            "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
+                            "name": "[[parameters('dcraName')]",
+                            "apiVersion": "2021-04-01",
+                            "properties": {
+                              "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.",
+                              "dataCollectionRuleId": "[[parameters('dcrId')]"
+                            }
+                          }
+                        ]
+                      }
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "resourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "location": {
+                  "value": "[[field('location')]"
+                },
+                "vmName": {
+                  "value": "[[field('name')]"
+                },
+                "userWorkspaceResourceId": {
+                  "value": "[[parameters('userWorkspaceResourceId')]"
+                },
+                "workspaceRegion": {
+                  "value": "[[parameters('workspaceRegion')]"
+                },
+                "enableCollectionOfSqlQueriesForSecurityResearch": {
+                  "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+                },
+                "dcrName": {
+                  "value": "[[parameters('dcrName')]"
+                },
+                "dcrResourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "dcrId": {
+                  "value": "[[parameters('dcrId')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json
new file mode 100644
index 000000000..8cbd4121a
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json
@@ -0,0 +1,240 @@
+{
+  "name": "Deploy-MDFC-SQL-DefenderSQL",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "displayName": "Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL",
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "description": "Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
+      "workspaceRegion": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace region",
+          "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "location"
+        }
+      },
+      "dcrName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Name",
+          "description": "Name of the Data Collection Rule."
+        }
+      },
+      "dcrResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Resource Group",
+          "description": "Resource Group of the Data Collection Rule."
+        }
+      },
+      "dcrId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Id",
+          "description": "Id of the Data Collection Rule."
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Compute/virtualMachines"
+          },
+          {
+            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
+            "like": "Windows*"
+          },
+          {
+            "field": "Microsoft.Compute/imagePublisher",
+            "equals": "microsoftsqlserver"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Compute/virtualMachines/extensions",
+          "name": "[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]",
+          "evaluationDelay": "AfterProvisioning",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "Microsoft.Compute/virtualMachines/extensions/type",
+                "equals": "AdvancedThreatProtection.Windows"
+              },
+              {
+                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
+                "equals": "Microsoft.Azure.AzureDefenderForSQL"
+              },
+              {
+                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
+                "in": [
+                  "Succeeded",
+                  "Provisioning succeeded"
+                ]
+              }
+            ]
+          },
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+          ],
+          "deployment": {
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "location": {
+                    "type": "string"
+                  },
+                  "vmName": {
+                    "type": "string"
+                  },
+                  "workspaceRegion": {
+                    "type": "string"
+                  },
+                  "dcrResourceGroup": {
+                    "type": "string"
+                  },
+                  "dcrName": {
+                    "type": "string"
+                  },
+                  "dcrId": {
+                    "type": "string"
+                  }
+                },
+                "variables": {
+                  "locationLongNameToShortMap": {
+                    "australiacentral": "CAU",
+                    "australiaeast": "EAU",
+                    "australiasoutheast": "SEAU",
+                    "brazilsouth": "CQ",
+                    "canadacentral": "CCA",
+                    "canadaeast": "CCA",
+                    "centralindia": "CIN",
+                    "centralus": "CUS",
+                    "eastasia": "EA",
+                    "eastus2euap": "eus2p",
+                    "eastus": "EUS",
+                    "eastus2": "EUS2",
+                    "francecentral": "PAR",
+                    "germanywestcentral": "DEWC",
+                    "japaneast": "EJP",
+                    "jioindiawest": "CIN",
+                    "koreacentral": "SE",
+                    "koreasouth": "SE",
+                    "northcentralus": "NCUS",
+                    "northeurope": "NEU",
+                    "norwayeast": "NOE",
+                    "southafricanorth": "JNB",
+                    "southcentralus": "SCUS",
+                    "southeastasia": "SEA",
+                    "southindia": "CIN",
+                    "swedencentral": "SEC",
+                    "switzerlandnorth": "CHN",
+                    "switzerlandwest": "CHW",
+                    "uaenorth": "DXB",
+                    "uksouth": "SUK",
+                    "ukwest": "WUK",
+                    "westcentralus": "WCUS",
+                    "westeurope": "WEU",
+                    "westindia": "CIN",
+                    "westus": "WUS",
+                    "westus2": "WUS2"
+                  },
+                  "actualLocation": "[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]",
+                  "locationCode": "[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]",
+                  "subscriptionId": "[[subscription().subscriptionId]",
+                  "defaultRGName": "[[parameters('dcrResourceGroup')]",
+                  "dcrName": "[[parameters('dcrName')]",
+                  "dcrId": "[[parameters('dcrId')]",
+                  "dcraName": "[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]"
+                },
+                "resources": [
+                  {
+                    "type": "Microsoft.Compute/virtualMachines/extensions",
+                    "name": "[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]",
+                    "apiVersion": "2023-03-01",
+                    "location": "[[parameters('location')]",
+                    "tags": {
+                      "createdBy": "MicrosoftDefenderForSQL"
+                    },
+                    "properties": {
+                      "publisher": "Microsoft.Azure.AzureDefenderForSQL",
+                      "type": "AdvancedThreatProtection.Windows",
+                      "typeHandlerVersion": "2.0",
+                      "autoUpgradeMinorVersion": true,
+                      "enableAutomaticUpgrade": true
+                    },
+                    "dependsOn": [
+                      "[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]"
+                    ]
+                  },
+                  {
+                    "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
+                    "name": "[[variables('dcraName')]",
+                    "apiVersion": "2021-04-01",
+                    "properties": {
+                      "description": "Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.",
+                      "dataCollectionRuleId": "[[variables('dcrId')]"
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "location": {
+                  "value": "[[field('location')]"
+                },
+                "vmName": {
+                  "value": "[[field('name')]"
+                },
+                "workspaceRegion": {
+                  "value": "[[parameters('workspaceRegion')]"
+                },
+                "dcrResourceGroup": {
+                  "value": "[[parameters('dcrResourceGroup')]"
+                },
+                "dcrName": {
+                  "value": "[[parameters('dcrName')]"
+                },
+                "dcrId": {
+                  "value": "[[parameters('dcrId')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json
new file mode 100644
index 000000000..d5e69e4ee
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json
@@ -0,0 +1,404 @@
+{
+    "name": "Deploy-UserAssignedManagedIdentity-VMInsights",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "displayName": "Deploy User Assigned Managed Identity for VM Insights",
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "description": "Create and assign a User Assigned Managed Identity to Virtual Machines for VM Insights",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Managed Identity",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+              "AzureCloud",
+              "AzureChinaCloud",
+              "AzureUSGovernment"
+            ]
+          },
+        "parameters": {
+            "bringYourOwnUserAssignedManagedIdentity": {
+                "type": "Boolean",
+                "metadata": {
+                    "displayName": "Bring Your Own User-Assigned Identity",
+                    "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'."
+                },
+                "allowedValues": [
+                    true,
+                    false
+                ]
+            },
+            "userAssignedIdentityName": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "User-Assigned Managed Identity Name",
+                    "description": "The name of the pre-created user-assigned managed identity."
+                },
+                "defaultValue": ""
+            },
+            "identityResourceGroup": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "User-Assigned Managed Identity Resource Group Name",
+                    "description": "The resource group in which the pre-created user-assigned managed identity resides."
+                },
+                "defaultValue": ""
+            },
+            "builtInIdentityResourceGroupLocation": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "Built-In-Identity-RG Location",
+                    "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false."
+                },
+                "defaultValue": "eastus"
+            },
+            "effect": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "Policy Effect",
+                    "description": "The effect determines what happens when the policy rule is evaluated to match."
+                },
+                "allowedValues": [
+                    "AuditIfNotExists",
+                    "DeployIfNotExists",
+                    "Disabled"
+                ],
+                "defaultValue": "DeployIfNotExists"
+            }
+        },
+        "policyRule": {
+            "if": {
+                "allOf": [
+                    {
+                        "field": "type",
+                        "equals": "Microsoft.Compute/virtualMachines"
+                    },
+                    {
+                        "value": "[[requestContext().apiVersion]",
+                        "greaterOrEquals": "2018-10-01"
+                    }
+                ]
+            },
+            "then": {
+                "effect": "[[parameters('effect')]",
+                "details": {
+                    "type": "Microsoft.Compute/virtualMachines",
+                    "name": "[[field('name')]",
+                    "evaluationDelay": "AfterProvisioning",
+                    "deploymentScope": "subscription",
+                    "existenceCondition": {
+                        "anyOf": [
+                            {
+                                "allOf": [
+                                    {
+                                        "field": "identity.type",
+                                        "contains": "UserAssigned"
+                                    },
+                                    {
+                                        "field": "identity.userAssignedIdentities",
+                                        "containsKey": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]"
+                                    }
+                                ]
+                            },
+                            {
+                                "allOf": [
+                                    {
+                                        "field": "identity.type",
+                                        "equals": "UserAssigned"
+                                    },
+                                    {
+                                        "value": "[[string(length(field('identity.userAssignedIdentities')))]",
+                                        "equals": "1"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "roleDefinitionIds": [
+                        "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+                    ],
+                    "deployment": {
+                        "location": "eastus",
+                        "properties": {
+                            "mode": "incremental",
+                            "parameters": {
+                                "bringYourOwnUserAssignedManagedIdentity": {
+                                    "value": "[[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+                                },
+                                "location": {
+                                    "value": "[[field('location')]"
+                                },
+                                "uaName": {
+                                    "value": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]"
+                                },
+                                "identityResourceGroup": {
+                                    "value": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]"
+                                },
+                                "builtInIdentityResourceGroupLocation": {
+                                    "value": "[[parameters('builtInIdentityResourceGroupLocation')]"
+                                },
+                                "vmName": {
+                                    "value": "[[field('name')]"
+                                },
+                                "vmResourceGroup": {
+                                    "value": "[[resourceGroup().name]"
+                                },
+                                "resourceId": {
+                                    "value": "[[field('id')]"
+                                }
+                            },
+                            "template": {
+                                "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+                                "contentVersion": "1.0.0.1",
+                                "parameters": {
+                                    "bringYourOwnUserAssignedManagedIdentity": {
+                                        "type": "bool"
+                                    },
+                                    "location": {
+                                        "type": "string"
+                                    },
+                                    "uaName": {
+                                        "type": "string"
+                                    },
+                                    "identityResourceGroup": {
+                                        "type": "string"
+                                    },
+                                    "builtInIdentityResourceGroupLocation": {
+                                        "type": "string"
+                                    },
+                                    "vmName": {
+                                        "type": "string"
+                                    },
+                                    "vmResourceGroup": {
+                                        "type": "string"
+                                    },
+                                    "resourceId": {
+                                        "type": "string"
+                                    }
+                                },
+                                "variables": {
+                                    "uaNameWithLocation": "[[concat(parameters('uaName'),'-', parameters('location'))]",
+                                    "precreatedUaId": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]",
+                                    "autocreatedUaId": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]",
+                                    "deployUALockName": "[[concat('deployUALock-', uniqueString(deployment().name))]",
+                                    "deployUAName": "[[concat('deployUA-', uniqueString(deployment().name))]",
+                                    "deployGetResourceProperties": "[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]",
+                                    "deployAssignUAName": "[[concat('deployAssignUA-', uniqueString(deployment().name))]"
+                                },
+                                "resources": [
+                                    {
+                                        "type": "Microsoft.Resources/resourceGroups",
+                                        "apiVersion": "2020-06-01",
+                                        "name": "[[parameters('identityResourceGroup')]",
+                                        "location": "[[parameters('builtInIdentityResourceGroupLocation')]"
+                                    },
+                                    {
+                                        "condition": "[[parameters('bringYourOwnUserAssignedManagedIdentity')]",
+                                        "type": "Microsoft.Resources/deployments",
+                                        "apiVersion": "2020-06-01",
+                                        "name": "[[variables('deployUALockName')]",
+                                        "resourceGroup": "[[parameters('identityResourceGroup')]",
+                                        "dependsOn": [
+                                            "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]"
+                                        ],
+                                        "properties": {
+                                            "mode": "Incremental",
+                                            "expressionEvaluationOptions": {
+                                                "scope": "inner"
+                                            },
+                                            "parameters": {
+                                                "uaName": {
+                                                    "value": "[[parameters('uaName')]"
+                                                },
+                                                "location": {
+                                                    "value": "[[parameters('location')]"
+                                                }
+                                            },
+                                            "template": {
+                                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                                                "contentVersion": "1.0.0.0",
+                                                "parameters": {
+                                                    "uaName": {
+                                                        "type": "string"
+                                                    },
+                                                    "location": {
+                                                        "type": "string"
+                                                    }
+                                                },
+                                                "variables": {},
+                                                "resources": [
+                                                    {
+                                                        "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+                                                        "name": "[[parameters('uaName')]",
+                                                        "apiVersion": "2018-11-30",
+                                                        "location": "[[parameters('location')]"
+                                                    }
+                                                ]
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "condition": "[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]",
+                                        "type": "Microsoft.Resources/deployments",
+                                        "apiVersion": "2020-06-01",
+                                        "name": "[[variables('deployUAName')]",
+                                        "resourceGroup": "[[parameters('identityResourceGroup')]",
+                                        "dependsOn": [
+                                            "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]"
+                                        ],
+                                        "properties": {
+                                            "mode": "Incremental",
+                                            "expressionEvaluationOptions": {
+                                                "scope": "inner"
+                                            },
+                                            "parameters": {
+                                                "uaName": {
+                                                    "value": "[[variables('uaNameWithLocation')]"
+                                                },
+                                                "location": {
+                                                    "value": "[[parameters('location')]"
+                                                }
+                                            },
+                                            "template": {
+                                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                                                "contentVersion": "1.0.0.0",
+                                                "parameters": {
+                                                    "uaName": {
+                                                        "type": "string"
+                                                    },
+                                                    "location": {
+                                                        "type": "string"
+                                                    }
+                                                },
+                                                "variables": {},
+                                                "resources": [
+                                                    {
+                                                        "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+                                                        "name": "[[parameters('uaName')]",
+                                                        "apiVersion": "2018-11-30",
+                                                        "location": "[[parameters('location')]"
+                                                    },
+                                                    {
+                                                        "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks",
+                                                        "apiVersion": "2016-09-01",
+                                                        "name": "[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]",
+                                                        "dependsOn": [
+                                                            "[[parameters('uaName')]"
+                                                        ],
+                                                        "properties": {
+                                                            "level": "CanNotDelete",
+                                                            "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence."
+                                                        }
+                                                    }
+                                                ]
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "type": "Microsoft.Resources/deployments",
+                                        "apiVersion": "2020-06-01",
+                                        "name": "[[variables('deployGetResourceProperties')]",
+                                        "location": "[[parameters('location')]",
+                                        "dependsOn": [
+                                            "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]",
+                                            "[[variables('deployUAName')]"
+                                        ],
+                                        "properties": {
+                                            "mode": "Incremental",
+                                            "template": {
+                                                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                                                "contentVersion": "1.0.0.0",
+                                                "resources": [],
+                                                "outputs": {
+                                                    "resource": {
+                                                        "type": "object",
+                                                        "value": "[[reference(parameters('resourceId'), '2019-07-01', 'Full')]"
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    },
+                                    {
+                                        "type": "Microsoft.Resources/deployments",
+                                        "apiVersion": "2020-06-01",
+                                        "name": "[[concat(variables('deployAssignUAName'))]",
+                                        "resourceGroup": "[[parameters('vmResourceGroup')]",
+                                        "dependsOn": [
+                                            "[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]",
+                                            "[[variables('deployUAName')]",
+                                            "[[variables('deployGetResourceProperties')]"
+                                        ],
+                                        "properties": {
+                                            "mode": "Incremental",
+                                            "expressionEvaluationOptions": {
+                                                "scope": "inner"
+                                            },
+                                            "parameters": {
+                                                "uaId": {
+                                                    "value": "[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]"
+                                                },
+                                                "vmName": {
+                                                    "value": "[[parameters('vmName')]"
+                                                },
+                                                "location": {
+                                                    "value": "[[parameters('location')]"
+                                                },
+                                                "identityType": {
+                                                    "value": "[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]"
+                                                },
+                                                "userAssignedIdentities": {
+                                                    "value": "[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]"
+                                                }
+                                            },
+                                            "template": {
+                                                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                                                "contentVersion": "1.0.0.0",
+                                                "parameters": {
+                                                    "uaId": {
+                                                        "type": "string"
+                                                    },
+                                                    "vmName": {
+                                                        "type": "string"
+                                                    },
+                                                    "location": {
+                                                        "type": "string"
+                                                    },
+                                                    "identityType": {
+                                                        "type": "string"
+                                                    },
+                                                    "userAssignedIdentities": {
+                                                        "type": "object"
+                                                    }
+                                                },
+                                                "variables": {
+                                                    "identityTypeValue": "[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]",
+                                                    "userAssignedIdentitiesValue": "[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]",
+                                                    "resourceWithSingleUAI": "[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]"
+                                                },
+                                                "resources": [
+                                                    {
+                                                        "condition": "[[not(variables('resourceWithSingleUAI'))]",
+                                                        "apiVersion": "2019-07-01",
+                                                        "type": "Microsoft.Compute/virtualMachines",
+                                                        "name": "[[parameters('vmName')]",
+                                                        "location": "[[parameters('location')]",
+                                                        "identity": {
+                                                            "type": "[[variables('identityTypeValue')]",
+                                                            "userAssignedIdentities": "[[variables('userAssignedIdentitiesValue')]"
+                                                        }
+                                                    }
+                                                ]
+                                            }
+                                        }
+                                    }
+                                ]
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json
index e54e3c06b..bd7e7f995 100644
--- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json
@@ -8,7 +8,7 @@
     "displayName": "Public network access should be disabled for PaaS services",
     "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints",
     "metadata": {
-      "version": "3.1.0",
+      "version": "3.2.0",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -274,6 +274,19 @@
           "Disabled"
         ],
         "defaultValue": "AuditIfNotExists"
+      },
+      "ContainerAppsEnvironmentDenyEffect" : {
+        "type": "String",
+        "metadata": {
+          "displayName": "Container Apps environment should disable public network access",
+          "description": "This policy denies creation of Container Apps Environment with exposed public endpoints"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Deny"
       }
     },
     "policyDefinitions": [
@@ -476,8 +489,18 @@
           }
         },
         "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]"
+          }
+        },
+        "groupNames": []
       }
     ],
     "policyDefinitionGroups": null
   }
-}
+}
\ No newline at end of file
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json
new file mode 100644
index 000000000..21d11434e
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json
@@ -0,0 +1,153 @@
+{
+    "name": "Deploy-AUM-CheckUpdates",
+    "type": "Microsoft.Authorization/policySetDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines",
+        "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Security Center",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud"
+            ]
+        },
+        "parameters": {
+            "assessmentMode": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "Assessment mode",
+                    "description": "Assessment mode for the machines."
+                },
+                "allowedValues": [
+                    "ImageDefault",
+                    "AutomaticByPlatform"
+                ],
+                "defaultValue": "AutomaticByPlatform"
+            },
+            "locations": {
+                "type": "Array",
+                "metadata": {
+                    "displayName": "Machines locations",
+                    "description": "The list of locations from which machines need to be targeted.",
+                    "strongType": "location"
+                },
+                "defaultValue": []
+            },
+            "tagValues": {
+                "type": "Object",
+                "metadata": {
+                    "displayName": "Tags on machines",
+                    "description": "The list of tags that need to matched for getting target machines."
+                },
+                "defaultValue": {}
+            },
+            "tagOperator": {
+                "type": "String",
+                "metadata": {
+                    "displayName": "Tag operator",
+                    "description": "Matching condition for resource tags"
+                },
+                "allowedValues": [
+                    "All",
+                    "Any"
+                ],
+                "defaultValue": "Any"
+            }
+        },
+        "policyDefinitions": [
+            {
+                "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateWindows",
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15",
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[[parameters('assessmentMode')]"
+                    },
+                    "osType": {
+                        "value": "Windows"
+                    },
+                    "locations": {
+                        "value": "[[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[[parameters('tagOperator')]"
+                    }
+                },
+                "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateLinux",
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15",
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[[parameters('assessmentMode')]"
+                    },
+                    "osType": {
+                        "value": "Linux"
+                    },
+                    "locations": {
+                        "value": "[[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[[parameters('tagOperator')]"
+                    }
+                },
+                "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateWindows",
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46",
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[[parameters('assessmentMode')]"
+                    },
+                    "osType": {
+                        "value": "Windows"
+                    },
+                    "locations": {
+                        "value": "[[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[[parameters('tagOperator')]"
+                    }
+                },
+                "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateLinux",
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46",
+                "parameters": {
+                    "assessmentMode": {
+                        "value": "[[parameters('assessmentMode')]"
+                    },
+                    "osType": {
+                        "value": "Linux"
+                    },
+                    "locations": {
+                        "value": "[[parameters('locations')]"
+                    },
+                    "tagValues": {
+                        "value": "[[parameters('tagValues')]"
+                    },
+                    "tagOperator": {
+                        "value": "[[parameters('tagOperator')]"
+                    }
+                },
+                "groupNames": []
+            }
+        ],
+        "policyDefinitionGroups": null
+    }
+}
\ No newline at end of file
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json
index 9c10da730..ee9d3ca5e 100644
--- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json
@@ -8,7 +8,7 @@
         "displayName": "Deploy Microsoft Defender for Cloud configuration",
         "description": "Deploy Microsoft Defender for Cloud configuration",
         "metadata": {
-            "version": "6.0.1",
+            "version": "7.0.0",
             "category": "Security Center",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -434,6 +434,13 @@
                     }
                 },
                 "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "migrateToMdeTvm",
+                "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888",
+                "parameters": {
+                },
+                "groupNames": []
             }
         ],
         "policyDefinitionGroups": null
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json
new file mode 100644
index 000000000..f497ab83c
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json
@@ -0,0 +1,237 @@
+{
+  "name": "Deploy-MDFC-DefenderSQL-AMA",
+  "type": "Microsoft.Authorization/policySetDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
+    "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Security Center",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud"
+      ]
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
+      "workspaceRegion": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace region",
+          "description": "Region of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "location"
+        }
+      },
+      "dcrName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Name",
+          "description": "Name of the Data Collection Rule."
+        }
+      },
+      "dcrResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Resource Group",
+          "description": "Resource Group of the Data Collection Rule."
+        }
+      },
+      "dcrId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Data Collection Rule Id",
+          "description": "Id of the Data Collection Rule."
+        }
+      },
+      "userWorkspaceResourceId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Workspace Resource Id",
+          "description": "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.",
+          "strongType": "omsWorkspace"
+        }
+      },
+      "enableCollectionOfSqlQueriesForSecurityResearch": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Enable collection of SQL queries for security research",
+          "description": "Enable or disable the collection of SQL queries for security research."
+        },
+        "allowedValues": [
+          true,
+          false
+        ],
+        "defaultValue": false
+      },
+      "identityResourceGroup": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Identity Resource Group",
+          "description": "The name of the resource group created by the policy."
+        },
+        "defaultValue": ""
+      },
+      "userAssignedIdentityName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "User Assigned Managed Identity Name",
+          "description": "The name of the user assigned managed identity."
+        },
+        "defaultValue": ""
+      }
+    },
+    "policyDefinitions": [
+      {
+        "policyDefinitionReferenceId": "defenderForSqlArcAma",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "defenderForSqlArcMdsql",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "defenderForSqlArcMdsqlDcr",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          },
+          "userWorkspaceResourceId": {
+            "value": "[[parameters('userWorkspaceResourceId')]"
+          },
+          "workspaceRegion": {
+            "value": "[[parameters('workspaceRegion')]"
+          },
+          "enableCollectionOfSqlQueriesForSecurityResearch": {
+            "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+          },
+          "dcrName": {
+            "value": "[[parameters('dcrName')]"
+          },
+          "dcrResourceGroup": {
+            "value": "[[parameters('dcrResourceGroup')]"
+          },
+          "dcrId": {
+            "value": "[[parameters('dcrId')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "defenderForSqlArcDcrAssociation",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          },
+          "workspaceRegion": {
+            "value": "[[parameters('workspaceRegion')]"
+          },
+          "dcrName": {
+            "value": "[[parameters('dcrName')]"
+          },
+          "dcrResourceGroup": {
+            "value": "[[parameters('dcrResourceGroup')]"
+          },
+          "dcrId": {
+            "value": "[[parameters('dcrId')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "defenderForSqlAma",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          },
+          "identityResourceGroup": {
+            "value": "[[parameters('identityResourceGroup')]"
+          },
+          "userAssignedIdentityName": {
+            "value": "[[parameters('userAssignedIdentityName')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "defenderForSqlMdsql",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          },
+          "workspaceRegion": {
+            "value": "[[parameters('workspaceRegion')]"
+          },
+          "dcrResourceGroup": {
+            "value": "[[parameters('dcrResourceGroup')]"
+          },
+          "dcrName": {
+            "value": "[[parameters('dcrName')]"
+          },
+          "dcrId": {
+            "value": "[[parameters('dcrId')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "defenderForSqlMdsqlDcr",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('effect')]"
+          },
+          "userWorkspaceResourceId": {
+            "value": "[[parameters('userWorkspaceResourceId')]"
+          },
+          "workspaceRegion": {
+            "value": "[[parameters('workspaceRegion')]"
+          },
+          "enableCollectionOfSqlQueriesForSecurityResearch": {
+            "value": "[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+          },
+          "dcrName": {
+            "value": "[[parameters('dcrName')]"
+          },
+          "dcrResourceGroup": {
+            "value": "[[parameters('dcrResourceGroup')]"
+          },
+          "dcrId": {
+            "value": "[[parameters('dcrId')]"
+          }
+        },
+        "groupNames": []
+      }
+    ],
+    "policyDefinitionGroups": null
+  }
+}
\ No newline at end of file
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json
index d633aa9c8..1c664daf7 100644
--- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json
@@ -8,7 +8,7 @@
     "displayName": "Configure Azure PaaS services to use private DNS zones",
     "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones",
     "metadata": {
-      "version": "2.1.1",
+      "version": "2.1.2",
       "category": "Network",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -672,7 +672,7 @@
         "groupNames": []
       },
       {
-        "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-UI-Api",
+        "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-UI-Api",
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c",
         "parameters": {
           "privateDnsZoneId": {
@@ -688,7 +688,7 @@
         "groupNames": []
       },
       {
-        "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-Browser-AuthN",
+        "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-Browser-AuthN",
         "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c",
         "parameters": {
           "privateDnsZoneId": {
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json
index 0e3d731af..840c33c8b 100644
--- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json
@@ -8,7 +8,7 @@
     "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit",
     "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ",
     "metadata": {
-      "version": "2.0.0",
+      "version": "2.1.0",
       "category": "Encryption",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -360,6 +360,19 @@
           "Deny",
           "Disabled"
         ]
+      },
+      "ContainerAppsHttpsOnlyEffect": {
+        "metadata": {
+          "displayName": "Container Apps should only be accessible over HTTPS",
+          "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps."
+        },
+        "type": "String",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
       }
     },
     "policyDefinitions": [
@@ -611,8 +624,18 @@
           }
         },
         "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb",
+        "parameters": {
+          "effect": {
+            "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]"
+          }
+        },
+        "groupNames": []
       }
     ],
     "policyDefinitionGroups": null
   }
-}
+}
\ No newline at end of file
diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep
index 29b9776ed..b51d18f5b 100644
--- a/src/templates/policies.bicep
+++ b/src/templates/policies.bicep
@@ -179,6 +179,12 @@ var loadPolicyDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-UserAssignedManagedIdentity-VMInsights.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment
@@ -227,6 +233,7 @@ var loadPolicySetDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json')
+    loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
@@ -235,6 +242,7 @@ var loadPolicySetDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds
+    loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-DefenderSQL-AMA.json')
   ]
   AzureChinaCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions ()