Details of the Microsoft Cloud for Sovereignty Baseline Global Policies Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Microsoft Cloud for Sovereignty Baseline Global Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Baseline Global Policies. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the Microsoft Cloud for Sovereignty Baseline Global Policies controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the [Preview]: Sovereignty Baseline - Global Policies Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

SO.1 - Data Residency

Azure products must be deployed to and configured to use approved regions.

ID: MCfS Sovereignty Baseline Policy SO.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Allowed locations This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. deny 1.0.0
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. deny 1.0.0
Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. [parameters('policyEffect')] 1.1.0

SO.5 - Trusted Launch

VMs should be configured with Trusted Launch SKUs and Trusted Launch enabled when possible.

ID: MCfS Sovereignty Baseline Policy SO.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disks and OS image should support TrustedLaunch TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch Audit, Disabled 1.0.0
Virtual Machine should have TrustedLaunch enabled Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch Audit, Disabled 1.0.0

Next steps

Additional articles about Azure Policy: