6.7.0 alz pa checker

.azuredevops/pipelines/AzGovViz.variables.yml

@@ -1,4 +1,4 @@
-# Azure Governance Visualizer v6_major_20231113_1
+# Azure Governance Visualizer 6.7.0
 # First things first:
 # 1. Replace <YourServiceConnection> with the name of your service connection
 # 2. Replace <YourManagementGroupId> with the your ManagementGroupId
@@ -340,6 +340,16 @@ variables:
     # Switch | example: value: true
     value:
 
+  # Execute Azure Landing Zones (ALZ) Policy Assignments Checker
+  - name: ALZPolicyAssignmentsChecker
+    # Switch | example: value: true
+    value:
+
+  # ALZ Management Group Ids for the Azure Landing Zones (ALZ) Policy Assignments Checker
+  - name: ALZManagementGroupsIds
+    # Hashtable | example:
+    value: '@{"root"= "alz-root";"platform"="alz-platform";"connectivity"="alz-connectivity";"identity"="alz-identity";"management"="alz-management";"landing_zones"="alz-landing-zones";"corp"="alz-corp";"online"="alz-online";"sandboxes"="alz-sandboxes";"decommissioned"="alz-decommissioned"}'
+
 # Create a dedicated DefinitionInsights HTML file
   - name: NoDefinitionInsightsDedicatedHTML
     # Switch | example: value: true
@@ -369,4 +379,4 @@ variables:
     value: ${{ join(',',parameters.StorageAccountAccessAnalysisSubscriptionTagsParameters) }}
 
   - name: StorageAccountAccessAnalysisStorageAccountTags
-    value: ${{ join(',',parameters.StorageAccountAccessAnalysisStorageAccountTagsParameters) }}
+    value: ${{ join(',',parameters.StorageAccountAccessAnalysisStorageAccountTagsParameters) }}

history.md

@@ -4,6 +4,12 @@
 
 ### Azure Governance Visualizer version 6
 
+**Changes** (2025-May-19 / 6.7.0 Minor)
+
+- New feature "ALZ Policy Assignments Checker" - This new view, will compare the current deployed ALZ hierarchy with the ALZ archetypes definitions and point out the missing policy assignments. It will also reference the missing policy assignments' payloads and [AzAdvertizer](https://www.azadvertizer.net/) links.
+  - New switch-parameter `-ALZPolicyAssignmentsChecker` - Execute the ALZPolicyAssignmentsChecker feature
+  - New Parameter `-ALZManagementGroupsIds` - Provide the Management Group Ids of the deployed ALZ hierarchy (more details: [Parameters](#parameters))
+
 **Changes** (2025-May-01 / 6.6.3 Patch)
 
 - [issue53](https://github.com/Azure/Azure-Governance-Visualizer/issues/53)
@@ -14,6 +20,9 @@
   - update API-version `2020-07-01-preview` to `2023-01-01` for '/subscriptions/`subscriptionId`/providers/Microsoft.Advisor/advisorScore'
 - [issue276](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/issues/276) 
   - fix -> Getting Microsoft Defender for Cloud Secure Score for Subscription; skip on error-code `431 (RequestHeaderFieldsTooLarge)` 
+- New feature "ALZ Policy Assignments Checker" - This new view, will compare the current deployed ALZ hierarchy with the ALZ archetypes definitions and point out the missing policy assignments. It will also reference the missing policy assignments' payloads and [AzAdvertizer](https://www.azadvertizer.net/) links.
+  - New switch-parameter `-ALZPolicyAssignmentsChecker` - Execute the ALZPolicyAssignmentsChecker feature
+  - New Parameter `-ALZManagementGroupsIds` - Provide the Management Group Ids of the deployed ALZ hierarchy (more details:[Parameters](#parameters))
 
 **Changes** (2024-November-01 / 6.6.1 Patch)
 

pwsh/dev/devAzGovVizParallel.ps1

@@ -167,6 +167,27 @@
     If you do not want to execute the 'Azure Landing Zones (ALZ) Policy Version Checker' feature then use this parameter
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoALZPolicyVersionChecker
 
+.Parameter ALZPolicyAssignmentsChecker
+    'Azure Landing Zones (ALZ) Policy Assignments Checker' for Policy and Set assignments. Azure Governance Visualizer will clone the ALZ Library GitHub repository and collect the standard ALZ policy and set assignments. The ALZ data will be compared with the data from your tenant so that you can get an inventory for ALZ policy and set assignments that already exist in your tenant and compare with the standard assignments of ALZ. The 'Azure Landing Zones (ALZ) Policy Assignments Checker' results will be displayed in the TenantSummary.
+    If you do want to execute the 'Azure Landing Zones (ALZ) Policy Version Checker' feature then use this parameter
+    PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoALZPolicyVersionChecker
+
+.Parameter ALZManagementGroupsIds
+    'Azure Landing Zones (ALZ) Management groups Ids'. This is the list of Ids of the ALZ management groups hierarchy.
+    This is required if ALZPolicyAssignmentsChecker is enabled. If a management group Id is not provided, the default Id will be checked
+    PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -ALZPolicyAssignmentsChecker -ALZManagementGroupsIds @{
+        root           = '<Intermediary root management group Id>'
+        platform       = '<Platform management group Id>'
+        connectivity   = '<Connectivity management group Id>'
+        identity       = '<Identity management group Id>'
+        management     = '<Management management group Id>'
+        landing_zones  = '<Landing_zones management group Id>'
+        corp           = '<Corp management group Id>'
+        online         = '<Online management group Id>'
+        sandboxes      = '<Sandboxes management group Id>'
+        decommissioned = '<Decommissioned management group Id>'
+    }
+
 .PARAMETER NoDefinitionInsightsDedicatedHTML
     DefinitionInsights will be written to a separate HTML file `*_DefinitionInsights.html`. If you want to keep DefinitionInsights in the main html file then use this parameter
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoDefinitionInsightsDedicatedHTML
@@ -341,6 +362,20 @@
     Define if the 'Azure Landing Zones (ALZ) Policy Version Checker' feature should not be executed
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoALZPolicyVersionChecker
 
+    Define if the 'Azure Landing Zones (ALZ) Policy assignments Checker' feature should be executed
+    PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -ALZPolicyAssignmentsChecker -ALZManagementGroupsIds @{
+        root           = '<Intermediary root management group Id>'
+        platform       = '<Platform management group Id>'
+        connectivity   = '<Connectivity management group Id>'
+        identity       = '<Identity management group Id>'
+        management     = '<Management management group Id>'
+        landing_zones  = '<Landing_zones management group Id>'
+        corp           = '<Corp management group Id>'
+        online         = '<Online management group Id>'
+        sandboxes      = '<Sandboxes management group Id>'
+        decommissioned = '<Decommissioned management group Id>'
+    }
+
     Define if DefinitionInsights should not be written to a seperate html file (*_DefinitionInsights.html)
     PS C:\>.\AzGovVizParallel.ps1 -ManagementGroupId <your-Management-Group-Id> -NoDefinitionInsightsDedicatedHTML
 
@@ -371,7 +406,7 @@ Param
     $Product = 'AzGovViz',
 
     [string]
-    $ProductVersion = '6.6.3',
+    $ProductVersion = '6.7.0',
 
     [string]
     $GithubRepository = 'aka.ms/AzGovViz',
@@ -569,6 +604,23 @@ Param
     [switch]
     $NoALZPolicyVersionChecker,
 
+    [switch]
+    $ALZPolicyAssignmentsChecker,
+
+    [hashtable]
+    $ALZManagementGroupsIds <#= @{
+        root           = '<Intermediary root management group Id>'
+        platform       = '<Platform management group Id>'
+        connectivity   = '<Connectivity management group Id>'
+        identity       = '<Identity management group Id>'
+        management     = '<Management management group Id>'
+        landing_zones  = '<Landing_zones management group Id>'
+        corp           = '<Corp management group Id>'
+        online         = '<Online management group Id>'
+        sandboxes      = '<Sandboxes management group Id>'
+        decommissioned = '<Decommissioned management group Id>'
+    }#>,
+
     [switch]
     $NoDefinitionInsightsDedicatedHTML,
 
@@ -694,6 +746,7 @@ if ($ManagementGroupId -match ' ') {
 . ".\$($ScriptPath)\functions\processNetwork.ps1"
 . ".\$($ScriptPath)\functions\processStorageAccountAnalysis.ps1"
 . ".\$($ScriptPath)\functions\processALZPolicyVersionChecker.ps1"
+. ".\$($ScriptPath)\functions\processALZPolicyAssignmentsChecker.ps1"
 . ".\$($ScriptPath)\functions\getPIMEligible.ps1"
 . ".\$($ScriptPath)\functions\testGuid.ps1"
 . ".\$($ScriptPath)\functions\apiCallTracking.ps1"
@@ -1073,6 +1126,7 @@ if (-not $HierarchyMapOnly) {
     $htHashesBuiltInPolicy = [System.Collections.Hashtable]::Synchronized(@{})
     $arrayCustomBuiltInPolicyParity = [System.Collections.ArrayList]@()
     $arrayRemediatable = [System.Collections.ArrayList]@()
+    $ALZPolicyAssignmentsDifferences = @{}
 }
 
 if (-not $HierarchyMapOnly) {
@@ -1273,6 +1327,35 @@ if (-not $HierarchyMapOnly) {
         showMemoryUsage
     }
 }
+
+if (-not $HierarchyMapOnly) {
+    if ($ALZPolicyAssignmentsChecker -and $ALZManagementGroupsIds.Count -gt 0) {
+        switch ($azAPICallConf['checkContext'].Environment.Name) {
+            'Azurecloud' {
+                Write-Host "'Azure Landing Zones (ALZ) Policy Assignments Checker' feature supported for Cloud environment '$($azAPICallConf['checkContext'].Environment.Name)'"
+                processALZPolicyAssignmentsChecker
+            }
+            'AzureChinaCloud' {
+                Write-Host "'Azure Landing Zones (ALZ) Policy Assignments Checker' feature supported for Cloud environment '$($azAPICallConf['checkContext'].Environment.Name)'"
+                processALZPolicyAssignmentsChecker
+            }
+            'AzureUSGovernment' {
+                Write-Host "'Azure Landing Zones (ALZ) Policy Assignments Checker' feature supported for Cloud environment '$($azAPICallConf['checkContext'].Environment.Name)'"
+                processALZPolicyAssignmentsChecker
+            }
+            Default {
+                Write-Host "'Azure Landing Zones (ALZ) Policy Assignments Checker' feature NOT supported for Cloud environment '$($azAPICallConf['checkContext'].Environment.Name)'"
+                Write-Host "Setting parameter -ALZPolicyAssignmentsChecker to 'false'"
+                $ALZPolicyAssignmentsChecker = $false
+            }
+        }
+    }
+    else {
+        #Write-Host "Skipping 'Azure Landing Zones (ALZ) Policy Assignments Checker' (parameter -ALZPolicyAssignmentsChecker = $ALZPolicyAssignmentsChecker)"
+    }
+}
+
+
 #endregion runDataCollection
 
 #region createoutputs

pwsh/dev/functions/addHtParameters.ps1

@@ -36,13 +36,15 @@
         DoPSRule                                     = [bool]$DoPSRule
         PSRuleFailedOnly                             = [bool]$PSRuleFailedOnly
         NoALZPolicyVersionChecker                    = [bool]$NoALZPolicyVersionChecker
+        ALZPolicyAssignmentsChecker                  = [bool]$ALZPolicyAssignmentsChecker
+        ALZManagementGroupsIds                       = $ALZManagementGroupsIds
         NoStorageAccountAccessAnalysis               = [bool]$NoStorageAccountAccessAnalysis
         GitHubActionsOIDC                            = [bool]$GitHubActionsOIDC
         NoNetwork                                    = [bool]$NoNetwork
         ThrottleLimit                                = $ThrottleLimit
         APIMappingCloudEnvironment                   = $APIMappingCloudEnvironment
     }
     Write-Host 'htParameters:'
-    $azAPICallConf['htParameters'] | Format-Table -AutoSize | Out-String
+    $azAPICallConf['htParameters'] | ConvertTo-Json -Depth 99 | Out-String
     Write-Host 'Add Azure Governance Visualizer htParameters succeeded' -ForegroundColor Green
 }