Microsoft Cloud for Sovereignty – GitHub Repo Update 0.3.2

calendarNov 13, 2023 · 5 min read · Sovereignty Protection & Management Security  ·
Share on: linkedincopy

There is a new repo update 0.3.2 which can be found at this Link!
The most important updates are described below.

Architecture updates

  • The SLZ Preview deploys under the tenant root group in Azure, so it can support brownfield deployments, greenfield deployments, and multiple SLZ Preview deployments within the same tenant based on customer need. The SLZ Preview can also be deployed to an arbitrary child management group, which is better suited for conducting a proof-of-concept.


Compliancy Dashboard functonalities

  1. Overall resources compliance score which indicates the number of resources in the SLZ Preview top-level management group are compliant with all policies applied within the SLZ Preview. This calculation is also inclusive of the policies and initiatives assigned by the customer;
  2. Overall data residency compliance score which indicates the number of resources in the SLZ Preview top-level management group that are compliant with data residency policies applied within the SLZ Preview;
  3. Overall confidential compliance score which indicates the number of resources in the SLZ Preview top-level management group are compliant with encryption policies meant to keep data confidential and encrypted from Microsoft as the cloud operator. Note that resources of a valid SKU do not contribute to the total resource count by design: Update in Policy Compliance for Resource Type Policies;
  4. Resource compliance by state | Number of resources that are in each compliance state as evaluated by Azure Policy;
  5. Resource compliance percentage by subscription which Resource compliance percentage for each subscription that has applicable resources under it. This count also includes compliance reports for resource group and subscription compliance.
  6. Resource compliance percentage by policy initiative which Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance;
  7. Resource compliance percentage by policy group which Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal;
  8. Non-Compliant and exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this;
  9. Non-compliant resources by location which Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy;
  10. Resource exempt from data residency policies | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this;
  11. Resources outside of approved regions | All non-compliant resources and their location with enough detail to act. The tile will show resources that are in locations which are exempted under the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy and there’s an exemption created for those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this;
  12. Resource compliance score for encryption at rest policies | Percentage of resources that are compliant with the encryption at rest policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal;
  13. Resource compliance score for encryption in transit policies | Percentage of resources that are compliant with the data transit encryption policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal;
  14. Resource compliance score for confidential computing policies | Percentage of resources that are compliant with the confidential computing policy group. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal;
  15. Resource exempt from confidential computing policies | Shows the resources that have been made exempt from confidential policies with enough detail to act. The calculations on this tile cannot be verified via the Azure Policy section of Azure portal. Resources within the Confidential Corp and Confidential Online Management Groups are NOT expected to be exempt from the Allowed locations listed here as this tile shows the exemptions of the SlzConfidentialPolicies initiative.

    Click here to learn more.




Custom policies
The SLZ Preview allows for custom policy initiatives to be deployed within the standard management group scopes for each deployment through the following:

  • Navigate to the custom policy definitions located in /custom/policies/definitions in your version of the GitHub repository.
  • Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy:
    • slzConfidentialCustom.json -> Confidential Corp and Confidential Online Management Groups
    • slzConnectivityCustom.json -> Connectivity Management Group
    • slzCorpCustom.json -> Corp and Confidential Corp Management Groups
    • slzSandboxCustom.json -> Sandbox Management Group
  • Select the file for management group scope that you want custom policies to apply to and if you want to apply custom policies to all application workloads then select slzLandingZoneCustom.json
  • If custom policies have not been added yet, then the custom policy file will look like the screenshot below. Do NOT edit the policyType, id, type, or name fields. You will update the parameters, policyDefinitions, and policyDefinitionGroups as described by the initiative definition structure.
  • Grouping policies together on the SLZ Preview dashboard is accomplished by adding dashboard- to the beginning of the policy definition group name, but any name can be used. The documentation for the policy set definition group structure.


Minor Changes and corrections adding and removing regions in the following files

  • modules/compliance/policySetDefinitions/slzConfidentialDefaults.json > more countries are added;
  • modules/compliance/policySetDefinitions/slzConfidentialDefaults.json;
  • orchestration/dashboard/dashboard.bicep;
  • orchestration/policyInstallation/policyInstallation.bicep;
  • orchestration/scripts/parameters/sovereignLandingZone.parameters.json;
  • orchestration/sovereignPlatform/sovereignPlatform.bicep.

Furthermore some slight minor changes in documents and images which can be found via the following links Docs and Images.