feat: Remove automation account from ALZ & Add support for new Azure …

…Regions (#1929) Co-authored-by: Copilot <[email protected]>
Azure · Feb 20, 2025 · acab16f · acab16f
1 parent 4116df1
commit acab16f
Show file tree

Hide file tree

Showing 18 changed files with 41 additions and 309 deletions.
diff --git a/docs/reference/adventureworks/README.md b/docs/reference/adventureworks/README.md
@@ -54,7 +54,7 @@ By default, all recommendations are enabled and you must explicitly disable them
 - A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation.
 - Azure Policies that will enable autonomy for the platform and the landing zones.
 - An Azure subscription dedicated for **management**, which enables core platform capabilities at scale using Azure Policy such as:
-  - A Log Analytics workspace and an Automation account
+  - A Log Analytics workspace
   - Azure Security Center monitoring
   - Azure Security Center (Standard or Free tier)
   - Azure Sentinel

diff --git a/docs/reference/azpol.md b/docs/reference/azpol.md
@@ -169,8 +169,6 @@ If not carefully planned, log information coming from multiple sources is Azure
 
 Azure Log Analytics enables enterprises to store and manage logs from multiple sources efficiently. Querying the data stored in Azure Log Analytics for trend or pattern analysis is very easy with Azure Log Analytics. Alerts or interactive reports can be created using Azure Log Analytics queries.
 
-There exists an ESLZ custom policy which creates Azure Log Analytics Workspace that acts as a repository to store log data. An Azure Automation Account is also created and linked with Log Analytics Workspace for automating tasks or deploying Azure Monitor Solutions which may have dependency on Log Analytics Workspace. It also helps in configuring properties such as log retention period, azure region, etc.
-
 ## Provision logging for Azure-Arc enabled servers
 
 With IT estates spanning multiple clouds, on-premise sites and edge locations, many enterprises may be struggling to manage and govern servers which are scattered across environments and geographic locations. Using multitude of products to monitor servers can be a jarring experience. Putting servers in multiple environments under a single unified access and identity management solution can be challenging to set up and manage.

diff --git a/docs/reference/contoso/Readme.md b/docs/reference/contoso/Readme.md
@@ -49,7 +49,7 @@ The rest of the options across the different blades will depend on your environm
 - A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation.
 - Azure Policies that will enable autonomy for the platform and the landing zones.
 - An Azure subscription dedicated for **management**, which enables core platform capabilities at scale using Azure Policy such as:
-  - A Log Analytics workspace and an Automation account
+  - A Log Analytics workspace
   - Azure Security Center monitoring
   - Azure Security Center (Standard or Free tier)
   - Azure Sentinel

diff --git a/docs/reference/treyresearch/README.md b/docs/reference/treyresearch/README.md
@@ -48,7 +48,7 @@ By default, all recommendations are enabled. You must explicitly disable them if
 
 - A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation.
 - An Azure subscription dedicated for management, connectivity, and identity. This subscription hosts core platform capabilities such as:  
-  - A Log Analytics workspace and an Automation account.
+  - A Log Analytics workspace
   - Azure Sentinel.
   - A hub virtual network  
   - VPN Gateway (optional - deployment across Availability Zones)

diff --git a/docs/reference/wingtip/README.md b/docs/reference/wingtip/README.md
@@ -57,7 +57,7 @@ By default, all recommendations are enabled, and you must explicitly disable the
 - A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation.
 - Azure Policies that will enable autonomy for the platform and the landing zones.
 - An Azure subscription dedicated for Management, which enables core platform capabilities at scale using Azure Policy such as:
-  - A Log Analytics workspace and an Automation account
+  - A Log Analytics workspace
   - Azure Security Center monitoring
   - Azure Security Center (Standard or Free tier)
   - Azure Sentinel

diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md
@@ -57,5 +57,5 @@ Policies being deprecated:
 
 - Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace, as this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights)
 - Removed `Service Map` solution as an option to be deployed, as this has been superseded by VM Insights, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) Guidance on migrating and removing the Service Map solution can be found [here.](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-migrate-from-service-map)
-
-- Due to Microsoft Monitor Agent (MMA) planned for deprecation (August 2024) we have started to remove MMA from our reference implementations starting with the ALZ Portal (https://aka.ms/alz/portal) and following this will start to remove MMA from Bicep and Terraform before the planned deprecation date. Please see [MMA Deprecation Guidance](/docs/wiki/ALZ-AMA-Update.md) for more details.
+- Due to Microsoft Monitor Agent (MMA) planned for deprecation (August 2024) we have started to remove MMA from our reference implementations starting with the ALZ Portal (https://aka.ms/alz/portal) and following this will start to remove MMA from Bicep and Terraform before the planned deprecation date. Please see [MMA Deprecation Guidance](/docs/wiki/ALZ-AMA-Update.md) for more details.
+- Removed `Automation Accounts` by default going forward in ALZ (February 2025). This is because since the Azure Monitor Agent (AMA) changes the requirement of the Automation Account is no longer needed for things like change tracking and update management. If you require an Automation Account for other purposes, you can deploy one using the Azure Portal or any other supported method, Bicep, Terraform etc. in the Management Subscription if required. You do not need to remove the automation account if you already have one today deployed, although you may choose to remove it if not in use.
diff --git a/docs/wiki/ALZ-Known-Issues.md b/docs/wiki/ALZ-Known-Issues.md
@@ -8,6 +8,8 @@ Some of these issues may be resolved in future release, while others require inp
 
 ## Deploying Automation Account with CMK controls enabled
 
+> Note that automation accounts have been removed in ALZ as of February 2025.
+
 ### Area
 
 Automation Account

diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md
@@ -173,14 +173,13 @@ This management group contains a dedicated subscription for management, monitori
 | **Policy Type**           | **Count** |
 | :---                      |   :---:   |
 | `Policy Definition Sets`  | **1**     |
-| `Policy Definitions`      | **1**     |
+| `Policy Definitions`      | **0**     |
 </td></tr> </table>
 
 The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Management Management Group**.
 
 | Assignment Name          | Definition Name                                                                                | Policy Type                       | Description                                                                                                               | Effect(s)         |
 | ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- |
-| **Deploy-Log-Analytics** | **Configure Log Analytics workspace and automation account to centralize logs and monitoring** | `Policy Definition`, **Built-in** | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. | DeployIfNotExists |
 | **Deploy Azure Monitor Baseline Alerts for Management** | **Deploy Azure Monitor Baseline Alerts for Management** | `Policy Definition Set`, **Custom**     | Deploys alerting for management related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Management initiative. | DeployIfNotExists                   |
 
 

diff --git a/docs/wiki/Deploying-ALZ-BasicSetup.md b/docs/wiki/Deploying-ALZ-BasicSetup.md
@@ -74,8 +74,7 @@ On the *Platform management, security, and governance* blade, you will:
 
 ![mgmtTab-intro](./media/clip_image014-singlesubscription.jpg)
 
-- Enable **Deploy Log Analytics workspace and enable monitoring for your platform and resources** to get a central [Log Analytics Workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-and-workspaces) and an [Automation Account deployed](https://learn.microsoft.com/en-us/azure/automation/automation-intro) deployed, and a set of [Azure Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) applied at the root of the Azure landing zone Management Group hierarchy to make sure Activity Logs from all your Subscriptions, and Diagnostic Logs from all your VMs and PaaS resources are sent to Log Analytics.
-
+- Enable **Deploy Log Analytics workspace and enable monitoring for your platform and resources** to get a central [Log Analytics Workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-and-workspaces) and a set of [Azure Policies](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) applied at the root of the Azure landing zone Management Group hierarchy to make sure Activity Logs from all your Subscriptions, and Diagnostic Logs from all your VMs and PaaS resources are sent to Log Analytics.
 
   - If required you can customize the retention time of your monitoring data from it's default of 30 days by using the **Log Analytics Data Retention (days)** slider.
 **Please note:** Increasing the retention time to more than 30 days will increase your costs.

diff --git a/docs/wiki/How-Enterprise-Scale-Works.md b/docs/wiki/How-Enterprise-Scale-Works.md
@@ -87,7 +87,7 @@ By default, all recommended settings and resources recommendations are enabled a
 - Azure Policies that will enable autonomy for the platform and the landing zones. The full list of policies leveraged by Enterprise-Scale, their intent, assignment scope, and life-cycle can be viewed [here](./ALZ-Policies).
 - An Azure subscription dedicated for **Management**, which enables core platform capabilities at scale using Azure Policy such as:
 
-  - A Log Analytics workspace and an Automation account
+  - A Log Analytics workspace
   - Azure Security Center monitoring
   - Azure Security Center (Standard or Free tier)
 

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -58,6 +58,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 #### Tooling
 
 - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2025-02-05). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
+- We are removing the deployment of Automation Accounts by default going forward in ALZ (February 2025). This is because since the Azure Monitor Agent (AMA) changes the requirement of the Automation Account is no longer needed for things like change tracking and update management. If you require an Automation Account for other purposes, you can deploy one using the Azure Portal or any other supported method, Bicep, Terraform etc. in the Management Subscription if required. You do not need to remove the automation account if you already have one today deployed, although you may choose to remove it if not in use.
+  - With this we will also stop assigning the policy with the assignment name of: `Deploy-Log-Analytics` at the Platform > Management Management Group scope which utilizes the built-in policy with the ID of: [`8e3e61b3-0b32-22d5-4edf-55f87fdb5955`](https://www.azadvertizer.net/azpolicyadvertizer/8e3e61b3-0b32-22d5-4edf-55f87fdb5955.html). Please remove/delete this assignment if you wish to as you have no need to monitor and enforce the deployment of the Log Analytics Workspace and Automation Account via policy.
+- Added support for new Azure Regions that have been recently launched into the ALZ Portal Accelerator
 
 #### Breaking Changes
 

diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx