Azure landing zone governance guide: Migrate Azure landing zone policies to Azure built-in policies
Članak
Over time, Azure landing zone custom policies and policy initiatives might be deprecated or superseded by Azure built-in policies. If so, they should be removed or migrated. This article describes how to migrate Azure landing zone custom policies and policy initiatives to Azure built-in policies.
The guidance in this article describes the manual, high-level steps to migrate your policies. It also provides references on how to process implementations managed through the Azure Verified Modules for Platform Landing Zones Terraform or Bicep offerings.
The following infographic shows the update process flow.
Manual update steps for Azure landing zone environments
This section describes the generic, high-level steps to migrate Azure landing zone custom policies and initiatives to Azure built-in policies.
Detect updates for Azure landing zone policies
You can detect that one or more Azure landing zone policies are superseded by built-in Azure policies with the following options:
You can migrate Azure landing zone environments with the following steps:
Determine if the Azure landing zone policies in scope for migration are currently assigned at any scope in your Azure estate. If you're using the Azure Governance Visualizer, you can determine policy scope by checking the TenantSummary.
Check if the Azure landing zone policies being migrated are part of a landing zone custom policy initiative that should be updated.
See if Azure landing zone custom policy initiatives in scope for migration are currently assigned at any scope in your Azure estate.
Depending on the results of your investigation, take the following actions.
Policies not assigned and not part of Azure landing zone custom policy initiative
If the policy being migrated isn't assigned in your Azure estate, and isn't part of an existing Azure landing zone custom policy initiative, you:
Delete the Azure landing zone policy definition from the Azure landing zone intermediate root management group (for example, Contoso).
If an Azure landing zone custom policy initiative is fully superseded by a built-in policy initiative and isn't assigned in your Azure estate, you:
Delete the Azure landing zone custom policy initiative from the Azure landing zone intermediate root management group (for example, Contoso).
Policies assigned and not part of Azure landing zone custom policy initiative
If the policy to be migrated is assigned to any scope in your Azure estate, and isn't part of an existing Azure landing zone custom policy initiative, do these steps:
Create new policy assignments at the same scopes using the Azure built-in policies with matching settings as per the assignment of the previous Azure landing zone custom policy definition.
Delete existing Azure landing zone policy assignment at all scopes, where assigned.
Delete the Azure landing zone policy definition from the Azure landing zone intermediate root management group (for example Contoso).
Policies assigned through Azure landing zone custom policy initiative
If the policy to be migrated is part of an Azure landing zone custom policy initiative and is assigned through it at any scope in your Azure estate, follow these steps:
Update the Azure landing zone custom policy initiative definition with the appropriate policy references. You can find the updated initiatives here with a generic contoso scope for custom policies.
When you update the policy references, remember to change the contoso scope for policy definition IDs to your management group hierarchy pseudo root name. Also, update the metadata information on the Azure landing zone custom policy initiative.
If an Azure landing zone custom policy initiative is fully superseded by a built-in policy initiative, and assigned at any scope in your Azure estate, follow these steps:
Create new policy initiative assignments at the same scopes. Use the Azure built-in policy initiative with matching settings per the assignment of the previous Azure landing zone custom policy initiative.
Delete existing Azure landing zone policy initiative assignment at all scopes, where assigned.
Delete the Azure landing zone custom policy initiative from the Azure landing zone intermediate root management group (for example, Contoso).
Update steps for Terraform Azure Verified Modules for Platform Landing Zones module deployments
Migration steps for Azure landing zone Terraform module
The Azure landing zone Terraform module provides update guidance when you deploy breaking changes. Follow the upgrade guidance for your specific version that's at the end of this article.
Update steps for ALZ-Bicep deployments
If you're using the ALZ-Bicep to manage your Azure landing zone deployment, this section references resources on how to migrate Azure landing zone custom policies and initiatives to Azure built-in policies.
Whether you use the Azure portal, Bicep, or Terraform to manage your Azure landing zone infrastructure, you need to manage policy changes over time. Use the flow in this article as a starting point to develop processes around policy management for your Azure landing zone implementation.
Azure Policy initiatives are a collection of Azure policy definitions that are grouped together toward a specific goal or purpose. By consolidating multiple Azure policies into a single item, Azure Policy initiatives allow centralized control and enforcement of configurations across Azure resources.
