Azure · robga · Jul 7, 2025 · Jul 3, 2025
@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "App Service"
     },
-    "version": "1.1.0",
+    "version": "1.2.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -32,16 +32,8 @@
             "equals": "Microsoft.Web/sites/slots"
           },
           {
-            "anyOf": [
-              {
-                "field": "Microsoft.Web/sites/slots/virtualNetworkSubnetId",
-                "exists": "false"
-              },
-              {
-                "field": "Microsoft.Web/sites/slots/virtualNetworkSubnetId",
-                "equals": ""
-              }
-            ]
+            "field": "Microsoft.Web/sites/slots/virtualNetworkSubnetId",
+            "equals": ""
           }
         ]
       },
@@ -50,6 +42,7 @@
       }
     },
     "versions": [
+      "1.2.0",
       "1.1.0",
       "1.0.0"
     ]

@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet.",
     "metadata": {
-      "version": "3.1.0",
+      "version": "3.2.0",
       "category": "App Service"
     },
-    "version": "3.1.0",
+    "version": "3.2.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -32,16 +32,8 @@
             "equals": "Microsoft.Web/sites"
           },
           {
-            "anyOf": [
-              {
-                "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
-                "exists": "false"
-              },
-              {
-                "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
-                "equals": ""
-              }
-            ]
+            "field": "Microsoft.Web/sites/virtualNetworkSubnetId",
+            "equals": ""
           }
         ]
       },
@@ -50,6 +42,7 @@
       }
     },
     "versions": [
+      "3.2.0",
       "3.1.0",
       "3.0.0"
     ]

@@ -5,7 +5,7 @@
     "mode": "Indexed",
     "description": "Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture.",
     "metadata": {
-      "version": "1.2.0-preview",
+      "version": "1.3.0-preview",
       "preview": true,
       "category": "Guest Configuration",
       "requiredProviders": [
@@ -19,7 +19,7 @@
         }
       }
     },
-    "version": "1.2.0-preview",
+    "version": "1.3.0-preview",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -264,6 +264,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "existenceCondition": {
             "allOf": [
               {
@@ -385,6 +386,7 @@
       }
     },
     "versions": [
+      "1.3.0-PREVIEW",
       "1.2.0-PREVIEW"
     ]
   },

@@ -5,7 +5,7 @@
     "mode": "Indexed",
     "description": "Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture.",
     "metadata": {
-      "version": "1.3.0-preview",
+      "version": "1.4.0-preview",
       "category": "Guest Configuration",
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
@@ -18,7 +18,7 @@
         }
       }
     },
-    "version": "1.3.0-preview",
+    "version": "1.4.0-preview",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -279,6 +279,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "existenceCondition": {
             "allOf": [
               {
@@ -400,6 +401,7 @@
       }
     },
     "versions": [
+      "1.4.0-PREVIEW",
       "1.3.0-PREVIEW",
       "1.2.0-PREVIEW"
     ]

@@ -6,9 +6,9 @@
     "description": "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "3.1.0"
+      "version": "3.2.0"
     },
-    "version": "3.1.0",
+    "version": "3.2.0",
     "policyRule": {
       "if": {
         "allOf": [
@@ -191,6 +191,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "type": "Microsoft.Compute/virtualMachines/extensions",
           "name": "AzurePolicyforLinux",
           "existenceCondition": {
@@ -255,6 +256,7 @@
       }
     },
     "versions": [
+      "3.2.0",
       "3.1.0",
       "3.0.0"
     ]

@@ -6,9 +6,9 @@
     "description": "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.2.0"
+      "version": "1.3.0"
     },
-    "version": "1.2.0",
+    "version": "1.3.0",
     "policyRule": {
       "if": {
         "allOf": [
@@ -175,6 +175,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "type": "Microsoft.Compute/virtualMachines/extensions",
           "name": "AzurePolicyforWindows",
           "existenceCondition": {
@@ -239,6 +240,7 @@
       }
     },
     "versions": [
+      "1.3.0",
       "1.2.0"
     ]
   },

@@ -5,7 +5,7 @@
     "mode": "Indexed",
     "description": "This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview",
     "metadata": {
-      "version": "1.0.1",
+      "version": "1.1.0",
       "category": "Guest Configuration",
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
@@ -36,7 +36,7 @@
         }
       }
     },
-    "version": "1.0.1",
+    "version": "1.1.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -454,6 +454,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "name": "SetLinuxSshServerSecurityBaseline",
           "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
           "existenceCondition": {
@@ -901,6 +902,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.1",
       "1.0.0-PREVIEW"
     ]

@@ -5,7 +5,7 @@
     "mode": "Indexed",
     "description": "Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine.",
     "metadata": {
-      "version": "1.0.1",
+      "version": "1.1.0",
       "category": "Guest Configuration",
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
@@ -19,7 +19,7 @@
         }
       }
     },
-    "version": "1.0.1",
+    "version": "1.1.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -279,6 +279,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "existenceCondition": {
             "allOf": [
               {
@@ -418,6 +419,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.1"
     ]
   },

@@ -5,7 +5,7 @@
     "mode": "Indexed",
     "description": "This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.",
     "metadata": {
-      "version": "3.0.0",
+      "version": "3.1.0",
       "category": "Guest Configuration",
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
@@ -18,7 +18,7 @@
         }
       }
     },
-    "version": "3.0.0",
+    "version": "3.1.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -390,6 +390,7 @@
           "roleDefinitionIds": [
             "/providers/microsoft.authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31"
           ],
+          "evaluationDelay": "AfterProvisioning",
           "name": "SetWindowsTimeZone",
           "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
           "existenceCondition": {
@@ -493,6 +494,7 @@
       }
     },
     "versions": [
+      "3.1.0",
       "3.0.0",
       "2.1.0"
     ]

@@ -0,0 +1,63 @@
+{
+  "properties": {
+    "displayName": "Azure Machine Learning workspaces should be encrypted with the use of a customer-managed key",
+    "description": "Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk.",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "metadata": {
+      "category": "Machine Learning",
+      "version": "1.0.0"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "AuditIfNotExists"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.MachineLearningServices/workspaces"
+          },
+          {
+            "not": {
+              "field": "kind",
+              "equals": "project"
+            }
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.MachineLearningServices/workspaces",
+          "name": "[field('name')]",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "Microsoft.MachineLearningServices/workspaces/encryption.status",
+                "equals": "Enabled"
+              }
+            ]
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/7f40cee6-e933-4d0f-a782-b96615e0f4a6",
+  "name": "7f40cee6-e933-4d0f-a782-b96615e0f4a6"
+}