From 39d2699fee379faa1674e77ba57a5c0c4328a681 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 16 Apr 2024 10:36:49 -0700
Subject: [PATCH 01/26] Policy Baseline Exemption Logic Needs to Live in ALZ
 Repo

---
 .../alzDefaultPolicyAssignments.bicep         | 37 +++++++++++++
 .../alzDefaults/policyExemptions.bicep        | 55 +++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
index 7246d0610..9f2ae5fa1 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -505,6 +505,13 @@ var varPrivateDnsZonesFinalResourceIds = {
   azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net'
 }
 
+var varPolicyAssignmentScopeName = '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}'
+var varPolicyExemptionConfidentialOnlineManagementGroup = '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online${parTopLevelManagementGroupSuffix}'
+var varPolicyExemptionConfidentialCorpManagementGroup = '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp${parTopLevelManagementGroupSuffix}'
+
+var varSlzGlobalLibDef = loadJsonContent('../lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json')
+var varSlzGlobalAssignmentName = toLower(varSlzGlobalLibDef.name)
+
 // **Scope**
 targetScope = 'managementGroup'
 
@@ -1655,3 +1662,33 @@ module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyA
     parTelemetryOptOut: parTelemetryOptOut
   }
 }
+
+// The following module is used to deploy the policy exemptions
+module modPolicyExemptionsConfidentialOnline 'policyExemptions.bicep' = {
+  scope: managementGroup(varPolicyExemptionConfidentialOnlineManagementGroup)
+  name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
+  params: {
+    parPolicyAssignmentScopeName: varPolicyAssignmentScopeName
+    parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
+    parPolicyAssignmentName: varSlzGlobalAssignmentName
+    parExemptionName: 'Confidential-Online-Location-Exemption'
+    parExemptionDisplayName: 'Confidential Online Location Exemption'
+    parDescription: 'Exempt the confidential online management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
+  }
+  dependsOn: [modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf]
+}
+
+// The following module is used to deploy the policy exemptions
+module modPolicyExemptionsConfidentialCorp 'policyExemptions.bicep' = {
+  scope: managementGroup(varPolicyExemptionConfidentialCorpManagementGroup)
+  name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
+  params: {
+    parPolicyAssignmentScopeName: varPolicyAssignmentScopeName
+    parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
+    parPolicyAssignmentName: varSlzGlobalAssignmentName
+    parExemptionName: 'Confidential-Corp-Location-Exemption'
+    parExemptionDisplayName: 'Confidential Corp Location Exemption'
+    parDescription: 'Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
+  }
+  dependsOn: [modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf]
+}
diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep
new file mode 100644
index 000000000..59860f0c6
--- /dev/null
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/*
+  SUMMARY : Creates a Policy Exemption for a Policy Assignment in a Management Group
+  AUTHOR/S: Cloud for Sovereignty
+*/
+targetScope = 'managementGroup'
+
+@description('Policy Assignment Name')
+param parPolicyAssignmentName string
+
+@description('Policy Assignment Scope Name')
+param parPolicyAssignmentScopeName string
+
+@description('SLZ Policy Set Assignment id')
+param parPolicyAssignmentId string = '/providers/microsoft.management/managementgroups/${parPolicyAssignmentScopeName}/providers/microsoft.authorization/policyassignments/${parPolicyAssignmentName}'
+
+@allowed([
+  'Waiver'
+  'Mitigated'
+])
+@description('Exemption Category Default - Waiver')
+param parExemptionCategory string = 'Waiver'
+
+@description('Description')
+param parDescription string
+
+@allowed([
+  'Default'
+  'DoNotValidate'
+])
+@description('Assignment Scope')
+param parAssignmentScopeValidation string = 'Default'
+
+@description('Reference ids of Policies to be exempted')
+param parPolicyDefinitionReferenceIds array
+
+@description('Exemption Name')
+param parExemptionName string
+
+@description('Exemption Display Name')
+param parExemptionDisplayName string
+
+// Create Policy Exemption
+resource resPolicyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = {
+  name: parExemptionName
+  properties: {
+    assignmentScopeValidation: parAssignmentScopeValidation
+    description: parDescription
+    displayName: parExemptionDisplayName
+    exemptionCategory: parExemptionCategory
+    policyAssignmentId: parPolicyAssignmentId
+    policyDefinitionReferenceIds: parPolicyDefinitionReferenceIds
+  }
+}

From 1f75743d90d2a2ca37111ec8b3d8c03f081d55b6 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Fri, 19 Apr 2024 11:01:53 -0700
Subject: [PATCH 02/26] Policy Baseline Exemption Logic Needs to Live in ALZ
 Repo

---
 .../alzDefaultPolicyAssignments.bicep         | 21 ++++++-------------
 .../policyAssignmentManagementGroup.bicep     |  2 ++
 .../alzDefaults => }/policyExemptions.bicep   |  8 +------
 3 files changed, 9 insertions(+), 22 deletions(-)
 rename infra-as-code/bicep/modules/policy/{assignments/alzDefaults => }/policyExemptions.bicep (78%)

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
index 9f2ae5fa1..5950b21cc 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -505,13 +505,6 @@ var varPrivateDnsZonesFinalResourceIds = {
   azureCognitiveSearchPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.search.windows.net'
 }
 
-var varPolicyAssignmentScopeName = '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}'
-var varPolicyExemptionConfidentialOnlineManagementGroup = '${parTopLevelManagementGroupPrefix}-landingzones-confidential-online${parTopLevelManagementGroupSuffix}'
-var varPolicyExemptionConfidentialCorpManagementGroup = '${parTopLevelManagementGroupPrefix}-landingzones-confidential-corp${parTopLevelManagementGroupSuffix}'
-
-var varSlzGlobalLibDef = loadJsonContent('../lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json')
-var varSlzGlobalAssignmentName = toLower(varSlzGlobalLibDef.name)
-
 // **Scope**
 targetScope = 'managementGroup'
 
@@ -1664,13 +1657,12 @@ module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyA
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialOnline 'policyExemptions.bicep' = {
-  scope: managementGroup(varPolicyExemptionConfidentialOnlineManagementGroup)
+module modPolicyExemptionsConfidentialOnline '../../policyExemptions.bicep' = {
+  scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
-    parPolicyAssignmentScopeName: varPolicyAssignmentScopeName
+    parPolicyAssignmentId: modPolicyAssignmentIntRootEnforceSovereigntyGlobal.outputs.outPolicyAssignmentId
     parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
-    parPolicyAssignmentName: varSlzGlobalAssignmentName
     parExemptionName: 'Confidential-Online-Location-Exemption'
     parExemptionDisplayName: 'Confidential Online Location Exemption'
     parDescription: 'Exempt the confidential online management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
@@ -1679,13 +1671,12 @@ module modPolicyExemptionsConfidentialOnline 'policyExemptions.bicep' = {
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialCorp 'policyExemptions.bicep' = {
-  scope: managementGroup(varPolicyExemptionConfidentialCorpManagementGroup)
+module modPolicyExemptionsConfidentialCorp '../../policyExemptions.bicep' = {
+  scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
-    parPolicyAssignmentScopeName: varPolicyAssignmentScopeName
+    parPolicyAssignmentId: modPolicyAssignmentIntRootEnforceSovereigntyGlobal.outputs.outPolicyAssignmentId
     parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
-    parPolicyAssignmentName: varSlzGlobalAssignmentName
     parExemptionName: 'Confidential-Corp-Location-Exemption'
     parExemptionDisplayName: 'Confidential Corp Location Exemption'
     parDescription: 'Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
diff --git a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep
index b62e8127d..b9ac25532 100644
--- a/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep
@@ -143,3 +143,5 @@ module modCustomerUsageAttribution '../../../CRML/customerUsageAttribution/cuaId
   name: 'pid-${varCuaid}-${uniqueString(deployment().location, parPolicyAssignmentName)}'
   params: {}
 }
+
+output outPolicyAssignmentId string = resPolicyAssignment.id
diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/policyExemptions.bicep
similarity index 78%
rename from infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep
rename to infra-as-code/bicep/modules/policy/policyExemptions.bicep
index 59860f0c6..3b4ca3057 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/policyExemptions.bicep
@@ -6,14 +6,8 @@
 */
 targetScope = 'managementGroup'
 
-@description('Policy Assignment Name')
-param parPolicyAssignmentName string
-
-@description('Policy Assignment Scope Name')
-param parPolicyAssignmentScopeName string
-
 @description('SLZ Policy Set Assignment id')
-param parPolicyAssignmentId string = '/providers/microsoft.management/managementgroups/${parPolicyAssignmentScopeName}/providers/microsoft.authorization/policyassignments/${parPolicyAssignmentName}'
+param parPolicyAssignmentId string
 
 @allowed([
   'Waiver'

From 19de7d64147cab9a04bff03c36992a6d7f35d4f6 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Fri, 19 Apr 2024 11:08:42 -0700
Subject: [PATCH 03/26] Policy Baseline Exemption Logic Needs to Live in ALZ
 Repo

---
 .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 4 ++--
 .../modules/policy/{ => exemptions}/policyExemptions.bicep    | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename infra-as-code/bicep/modules/policy/{ => exemptions}/policyExemptions.bicep (100%)

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
index 5950b21cc..6f67dcebd 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -1657,7 +1657,7 @@ module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyA
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialOnline '../../policyExemptions.bicep' = {
+module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.bicep' = {
   scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
@@ -1671,7 +1671,7 @@ module modPolicyExemptionsConfidentialOnline '../../policyExemptions.bicep' = {
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialCorp '../../policyExemptions.bicep' = {
+module modPolicyExemptionsConfidentialCorp '../../exemptions/policyExemptions.bicep' = {
   scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
diff --git a/infra-as-code/bicep/modules/policy/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
similarity index 100%
rename from infra-as-code/bicep/modules/policy/policyExemptions.bicep
rename to infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

From 57649a2ff0f4e2eec6d744af677efe002e59b298 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Fri, 19 Apr 2024 15:22:18 -0700
Subject: [PATCH 04/26] Add mmarkdown file.

---
 .../generateddocs/policyExemptions.bicep.md   | 102 ++++++++++++++++++
 .../policy/exemptions/policyExemptions.bicep  |   9 +-
 2 files changed, 105 insertions(+), 6 deletions(-)
 create mode 100644 infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md

diff --git a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
new file mode 100644
index 000000000..f86000e72
--- /dev/null
+++ b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
@@ -0,0 +1,102 @@
+# ALZ Bicep - Management Group Policy Exemptions
+
+Module used to create a policy exemption for a policy assignment in a management group
+
+## Parameters
+
+Parameter name | Required | Description
+-------------- | -------- | -----------
+parPolicyAssignmentId | Yes      | SLZ Policy Set Assignment id
+parExemptionCategory | No       | Exemption Category Default - Waiver
+parDescription | Yes      | Description
+parAssignmentScopeValidation | No       | Assignment Scope
+parPolicyDefinitionReferenceIds | Yes      | Reference ids of Policies to be exempted
+parExemptionName | Yes      | Exemption Name
+parExemptionDisplayName | Yes      | Exemption Display Name
+
+### parPolicyAssignmentId
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+SLZ Policy Set Assignment id
+
+### parExemptionCategory
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Exemption Category Default - Waiver
+
+- Default value: `Waiver`
+
+- Allowed values: `Waiver`, `Mitigated`
+
+### parDescription
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Description
+
+### parAssignmentScopeValidation
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Assignment Scope
+
+- Default value: `Default`
+
+- Allowed values: `Default`, `DoNotValidate`
+
+### parPolicyDefinitionReferenceIds
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Reference ids of Policies to be exempted
+
+### parExemptionName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Exemption Name
+
+### parExemptionDisplayName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Exemption Display Name
+
+## Snippets
+
+### Parameter file
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "template": "infra-as-code/bicep/modules/policy/exemptions/policyExemptions.json"
+    },
+    "parameters": {
+        "parPolicyAssignmentId": {
+            "value": ""
+        },
+        "parExemptionCategory": {
+            "value": "Waiver"
+        },
+        "parDescription": {
+            "value": ""
+        },
+        "parAssignmentScopeValidation": {
+            "value": "Default"
+        },
+        "parPolicyDefinitionReferenceIds": {
+            "value": []
+        },
+        "parExemptionName": {
+            "value": ""
+        },
+        "parExemptionDisplayName": {
+            "value": ""
+        }
+    }
+}
+```
diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index 3b4ca3057..76680334c 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -1,11 +1,8 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-/*
-  SUMMARY : Creates a Policy Exemption for a Policy Assignment in a Management Group
-  AUTHOR/S: Cloud for Sovereignty
-*/
 targetScope = 'managementGroup'
 
+metadata name = 'ALZ Bicep - Management Group Policy Exemptions'
+metadata description = 'Module used to create a policy exemption for a policy assignment in a management group'
+
 @description('SLZ Policy Set Assignment id')
 param parPolicyAssignmentId string
 

From ab3f46e3de9d3f8c47c343efdf0790c0db8658ea Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 30 Apr 2024 11:01:45 -0700
Subject: [PATCH 05/26] Update markdown file.

---
 .../generateddocs/policyAssignmentManagementGroup.bicep.md  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md b/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md
index 92036d22f..99af732b2 100644
--- a/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md
+++ b/infra-as-code/bicep/modules/policy/assignments/generateddocs/policyAssignmentManagementGroup.bicep.md
@@ -136,6 +136,12 @@ Set Parameter to true to Opt-out of deployment telemetry
 
 - Default value: `False`
 
+## Outputs
+
+Name | Type | Description
+---- | ---- | -----------
+outPolicyAssignmentId | string |
+
 ## Snippets
 
 ### Parameter file

From 55613efa4f66da1a56a97150965af0b940e1e2dc Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Wed, 1 May 2024 14:52:55 -0700
Subject: [PATCH 06/26] Update Policy Assignment Exemptions.

---
 .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
index 6f67dcebd..66cb22c85 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -1658,7 +1658,7 @@ module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyA
 
 // The following module is used to deploy the policy exemptions
 module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.bicep' = {
-  scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
+  scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
     parPolicyAssignmentId: modPolicyAssignmentIntRootEnforceSovereigntyGlobal.outputs.outPolicyAssignmentId
@@ -1672,7 +1672,7 @@ module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.
 
 // The following module is used to deploy the policy exemptions
 module modPolicyExemptionsConfidentialCorp '../../exemptions/policyExemptions.bicep' = {
-  scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
+  scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
     parPolicyAssignmentId: modPolicyAssignmentIntRootEnforceSovereigntyGlobal.outputs.outPolicyAssignmentId

From e0de718b807f6536046e508f4fa7840b0e8f3499 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Mon, 6 May 2024 16:36:41 -0700
Subject: [PATCH 07/26] Add a flag to disable or enable firewall policies
 deployment.

---
 .../bicep/modules/hubNetworking/hubNetworking.bicep          | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
index 4b3590fe4..925a293cd 100644
--- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
+++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -160,6 +160,9 @@ param parAzFirewallEnabled bool = true
 @sys.description('Azure Firewall Name.')
 param parAzFirewallName string = '${parCompanyPrefix}-azfw-${parLocation}'
 
+@sys.description('Switch to enable/disable Azure Firewall Policies deployment.')
+param parAzFirewallPoliciesEnabled bool = true
+
 @sys.description('Azure Firewall Policies Name.')
 param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLocation}'
 
@@ -853,7 +856,7 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire
   }
 }
 
-resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled) {
+resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled && parAzFirewallPoliciesEnabled) {
   name: parAzFirewallPoliciesName
   location: parLocation
   tags: parTags

From 1bded9309a1287f568c03cd6f840c5e81442ca2e Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Mon, 6 May 2024 16:38:43 -0700
Subject: [PATCH 08/26] Add a flag to disable or enable firewall policies
 deployment.

---
 .../generateddocs/hubNetworking.bicep.md      | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
index ae2720185..384701450 100644
--- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
+++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
@@ -9,11 +9,11 @@ Parameter name | Required | Description
 parLocation    | No       | The Azure Region to deploy the resources into.
 parCompanyPrefix | No       | Prefix value which will be prepended to all resource names.
 parHubNetworkName | No       | Name for Hub Network.
-parGlobalResourceLock | No       | Global Resource Lock Configuration used for all resources deployed in this module.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parGlobalResourceLock | No       | Global Resource Lock Configuration used for all resources deployed in this module.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parHubNetworkAddressPrefix | No       | The IP address range for Hub Network.
 parSubnets     | No       | The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks.
 parDnsServerIps | No       | Array of DNS Server IP addresses for VNet.
-parVirtualNetworkLock | No       | Resource Lock Configuration for Virtual Network.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parVirtualNetworkLock | No       | Resource Lock Configuration for Virtual Network.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parPublicIpSku | No       | Public IP Address SKU.
 parPublicIpPrefix | No       | Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix-
 parPublicIpSuffix | No       | Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix
@@ -22,12 +22,13 @@ parAzBastionName | No       | Name Associated with Bastion Service.
 parAzBastionSku | No       | Azure Bastion SKU.
 parAzBastionTunneling | No       | Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client
 parAzBastionNsgName | No       | Name for Azure Bastion Subnet NSG.
-parBastionLock | No       | Resource Lock Configuration for Bastion.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parBastionLock | No       | Resource Lock Configuration for Bastion.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parDdosEnabled | No       | Switch to enable/disable DDoS Network Protection deployment.
 parDdosPlanName | No       | DDoS Plan Name.
-parDdosLock    | No       | Resource Lock Configuration for DDoS Plan.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parDdosLock    | No       | Resource Lock Configuration for DDoS Plan.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parAzFirewallEnabled | No       | Switch to enable/disable Azure Firewall deployment.
 parAzFirewallName | No       | Azure Firewall Name.
+parAzFirewallPoliciesEnabled | No       | Switch to enable/disable Azure Firewall Policies deployment.
 parAzFirewallPoliciesName | No       | Azure Firewall Policies Name.
 parAzFirewallTier | No       | Azure Firewall Tier associated with the Firewall to deploy.
 parAzFirewallIntelMode | No       | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.
@@ -37,21 +38,21 @@ parAzErGatewayAvailabilityZones | No       | Availability Zones to deploy the VP
 parAzVpnGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
 parAzFirewallDnsProxyEnabled | No       | Switch to enable/disable Azure Firewall DNS Proxy.
 parAzFirewallDnsServers | No       | Array of custom DNS servers used by Azure Firewall
-parAzureFirewallLock | No       |  Resource Lock Configuration for Azure Firewall.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parAzureFirewallLock | No       |  Resource Lock Configuration for Azure Firewall.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parHubRouteTableName | No       | Name of Route table to create for the default route of Hub.
 parDisableBgpRoutePropagation | No       | Switch to enable/disable BGP Propagation on route table.
-parHubRouteTableLock | No       | Resource Lock Configuration for Hub Route Table.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parHubRouteTableLock | No       | Resource Lock Configuration for Hub Route Table.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parPrivateDnsZonesEnabled | No       | Switch to enable/disable Private DNS Zones deployment.
 parPrivateDnsZonesResourceGroup | No       | Resource Group Name for Private DNS Zones.
 parPrivateDnsZones | No       | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
 parPrivateDnsZoneAutoMergeAzureBackupZone | No       | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
 parVirtualNetworkIdToLinkFailover | No       | Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
-parPrivateDNSZonesLock | No       | Resource Lock Configuration for Private DNS Zone(s).  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parPrivateDNSZonesLock | No       | Resource Lock Configuration for Private DNS Zone(s).  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parVpnGatewayEnabled | No       | Switch to enable/disable VPN virtual network gateway deployment.
 parVpnGatewayConfig | No       | Configuration for VPN virtual network gateway to be deployed.
 parExpressRouteGatewayEnabled | No       | Switch to enable/disable ExpressRoute virtual network gateway deployment.
 parExpressRouteGatewayConfig | No       | Configuration for ExpressRoute virtual network gateway to be deployed.
-parVirtualNetworkGatewayLock | No       | Resource Lock Configuration for ExpressRoute Virtual Network Gateway.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parVirtualNetworkGatewayLock | No       | Resource Lock Configuration for ExpressRoute Virtual Network Gateway.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
 parTags        | No       | Tags you would like to be applied to all resources in this module.
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
 parBastionOutboundSshRdpPorts | No       | Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.
@@ -252,6 +253,14 @@ Azure Firewall Name.
 
 - Default value: `[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]`
 
+### parAzFirewallPoliciesEnabled
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Switch to enable/disable Azure Firewall Policies deployment.
+
+- Default value: `True`
+
 ### parAzFirewallPoliciesName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -611,6 +620,9 @@ outHubVirtualNetworkId | string |
         "parAzFirewallName": {
             "value": "[format('{0}-azfw-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]"
         },
+        "parAzFirewallPoliciesEnabled": {
+            "value": true
+        },
         "parAzFirewallPoliciesName": {
             "value": "[format('{0}-azfwpolicy-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]"
         },

From 720f47aeff6d4c8c15ff7950d00d7ab962a4a41f Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:27:54 -0700
Subject: [PATCH 09/26] Update
 infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
index 66cb22c85..93e4e865f 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -1665,7 +1665,7 @@ module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.
     parPolicyDefinitionReferenceIds: ['AllowedLocationsForResourceGroups', 'AllowedLocations']
     parExemptionName: 'Confidential-Online-Location-Exemption'
     parExemptionDisplayName: 'Confidential Online Location Exemption'
-    parDescription: 'Exempt the confidential online management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
+    parDescription: 'Exempt the confidential online management group from the SLZ Global location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included.'
   }
   dependsOn: [modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf]
 }

From 2cdba4305a66cc2b8b1182f1464b72ad10d2ee58 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:28:33 -0700
Subject: [PATCH 10/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index 76680334c..dbe8db021 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -3,7 +3,7 @@ targetScope = 'managementGroup'
 metadata name = 'ALZ Bicep - Management Group Policy Exemptions'
 metadata description = 'Module used to create a policy exemption for a policy assignment in a management group'
 
-@description('SLZ Policy Set Assignment id')
+@sys.description('The ID of the policy set assignment for which the exemption will be established.')
 param parPolicyAssignmentId string
 
 @allowed([

From 971cde7aff6475ec32c07645e8a60221cdd17980 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:28:40 -0700
Subject: [PATCH 11/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index dbe8db021..3ea5c6ab8 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -13,7 +13,7 @@ param parPolicyAssignmentId string
 @description('Exemption Category Default - Waiver')
 param parExemptionCategory string = 'Waiver'
 
-@description('Description')
+@sys.description('The description which provides context for the policy exemption.')
 param parDescription string
 
 @allowed([

From a5193e4bc265af0a5a45a0144be620c3551e600a Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:28:49 -0700
Subject: [PATCH 12/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index 3ea5c6ab8..8a73c5f1c 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -23,7 +23,7 @@ param parDescription string
 @description('Assignment Scope')
 param parAssignmentScopeValidation string = 'Default'
 
-@description('Reference ids of Policies to be exempted')
+@sys.description('List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.')
 param parPolicyDefinitionReferenceIds array
 
 @description('Exemption Name')

From 72459da36907dcb6541cc8caa762e61cfeefa754 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:29:00 -0700
Subject: [PATCH 13/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index 8a73c5f1c..2af8864d4 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -29,7 +29,7 @@ param parPolicyDefinitionReferenceIds array
 @description('Exemption Name')
 param parExemptionName string
 
-@description('Exemption Display Name')
+@sys.description('The display name of the exemption.')
 param parExemptionDisplayName string
 
 // Create Policy Exemption

From c60717ee703bcb2a98f00bb8564e76f22f098d50 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:29:18 -0700
Subject: [PATCH 14/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index 2af8864d4..631c065c9 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -10,7 +10,7 @@ param parPolicyAssignmentId string
   'Waiver'
   'Mitigated'
 ])
-@description('Exemption Category Default - Waiver')
+@sys.description(' The exemption category to be used.')
 param parExemptionCategory string = 'Waiver'
 
 @sys.description('The description which provides context for the policy exemption.')

From 3dbed79dedf4fea2178dde555a09ff8a9c397f5b Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:29:24 -0700
Subject: [PATCH 15/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index 631c065c9..fcaa6bc6d 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -20,7 +20,7 @@ param parDescription string
   'Default'
   'DoNotValidate'
 ])
-@description('Assignment Scope')
+@sys.description('Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.')
 param parAssignmentScopeValidation string = 'Default'
 
 @sys.description('List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.')

From 12d6a85c82ad864293f8de64057cb68ff7d23df9 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 7 May 2024 09:29:32 -0700
Subject: [PATCH 16/26] Update
 infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index fcaa6bc6d..e99ff92f8 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -26,7 +26,7 @@ param parAssignmentScopeValidation string = 'Default'
 @sys.description('List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.')
 param parPolicyDefinitionReferenceIds array
 
-@description('Exemption Name')
+@sys.description('The resource name of the policy exemption.')
 param parExemptionName string
 
 @sys.description('The display name of the exemption.')

From 043a245921f5a1f0cb7516f2b99e6f42b5bc19e3 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 28 May 2024 10:17:59 -0700
Subject: [PATCH 17/26] Add Readme.

---
 .../bicep/modules/policy/exemptions/README.md | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 infra-as-code/bicep/modules/policy/exemptions/README.md

diff --git a/infra-as-code/bicep/modules/policy/exemptions/README.md b/infra-as-code/bicep/modules/policy/exemptions/README.md
new file mode 100644
index 000000000..f86000e72
--- /dev/null
+++ b/infra-as-code/bicep/modules/policy/exemptions/README.md
@@ -0,0 +1,102 @@
+# ALZ Bicep - Management Group Policy Exemptions
+
+Module used to create a policy exemption for a policy assignment in a management group
+
+## Parameters
+
+Parameter name | Required | Description
+-------------- | -------- | -----------
+parPolicyAssignmentId | Yes      | SLZ Policy Set Assignment id
+parExemptionCategory | No       | Exemption Category Default - Waiver
+parDescription | Yes      | Description
+parAssignmentScopeValidation | No       | Assignment Scope
+parPolicyDefinitionReferenceIds | Yes      | Reference ids of Policies to be exempted
+parExemptionName | Yes      | Exemption Name
+parExemptionDisplayName | Yes      | Exemption Display Name
+
+### parPolicyAssignmentId
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+SLZ Policy Set Assignment id
+
+### parExemptionCategory
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Exemption Category Default - Waiver
+
+- Default value: `Waiver`
+
+- Allowed values: `Waiver`, `Mitigated`
+
+### parDescription
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Description
+
+### parAssignmentScopeValidation
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Assignment Scope
+
+- Default value: `Default`
+
+- Allowed values: `Default`, `DoNotValidate`
+
+### parPolicyDefinitionReferenceIds
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Reference ids of Policies to be exempted
+
+### parExemptionName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Exemption Name
+
+### parExemptionDisplayName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+
+Exemption Display Name
+
+## Snippets
+
+### Parameter file
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "metadata": {
+        "template": "infra-as-code/bicep/modules/policy/exemptions/policyExemptions.json"
+    },
+    "parameters": {
+        "parPolicyAssignmentId": {
+            "value": ""
+        },
+        "parExemptionCategory": {
+            "value": "Waiver"
+        },
+        "parDescription": {
+            "value": ""
+        },
+        "parAssignmentScopeValidation": {
+            "value": "Default"
+        },
+        "parPolicyDefinitionReferenceIds": {
+            "value": []
+        },
+        "parExemptionName": {
+            "value": ""
+        },
+        "parExemptionDisplayName": {
+            "value": ""
+        }
+    }
+}
+```

From f6d1bdf512a2bf0696a7b59c9e5be80942fae7d1 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 28 May 2024 12:21:58 -0700
Subject: [PATCH 18/26] Update the docs.

---
 .../bicep/modules/policy/exemptions/README.md    |   4 ++++
 .../generateddocs/policyExemptions.bicep.md      |  14 +++++++-------
 .../policy/exemptions/media/bicepVisualizer.png  | Bin 0 -> 5567 bytes
 3 files changed, 11 insertions(+), 7 deletions(-)
 create mode 100644 infra-as-code/bicep/modules/policy/exemptions/media/bicepVisualizer.png

diff --git a/infra-as-code/bicep/modules/policy/exemptions/README.md b/infra-as-code/bicep/modules/policy/exemptions/README.md
index f86000e72..7526626d2 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/README.md
+++ b/infra-as-code/bicep/modules/policy/exemptions/README.md
@@ -100,3 +100,7 @@ Exemption Display Name
     }
 }
 ```
+
+## Bicep Visualizer
+
+![Bicep Visualizer](media/bicepVisualizer.png "Bicep Visualizer")
diff --git a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
index f86000e72..7ad2eb098 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
+++ b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
@@ -6,13 +6,13 @@ Module used to create a policy exemption for a policy assignment in a management
 
 Parameter name | Required | Description
 -------------- | -------- | -----------
-parPolicyAssignmentId | Yes      | SLZ Policy Set Assignment id
-parExemptionCategory | No       | Exemption Category Default - Waiver
-parDescription | Yes      | Description
-parAssignmentScopeValidation | No       | Assignment Scope
-parPolicyDefinitionReferenceIds | Yes      | Reference ids of Policies to be exempted
-parExemptionName | Yes      | Exemption Name
-parExemptionDisplayName | Yes      | Exemption Display Name
+parPolicyAssignmentId | Yes      | The ID of the policy set assignment for which the exemption will be established.
+parExemptionCategory | No       |  The exemption category to be used.
+parDescription | Yes      | The description which provides context for the policy exemption.
+parAssignmentScopeValidation | No       | Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.
+parPolicyDefinitionReferenceIds | Yes      | List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.
+parExemptionName | Yes      | The resource name of the policy exemption.
+parExemptionDisplayName | Yes      | The display name of the exemption.
 
 ### parPolicyAssignmentId
 
diff --git a/infra-as-code/bicep/modules/policy/exemptions/media/bicepVisualizer.png b/infra-as-code/bicep/modules/policy/exemptions/media/bicepVisualizer.png
new file mode 100644
index 0000000000000000000000000000000000000000..03dde588acfd1bca9ee99b0f0aff5af64f7bb98b
GIT binary patch
literal 5567
zcmcI|S5y;Fuq`MGf>NbO@4aY{Dn+S=D!uon(mNQMVx)!|f}tux0BIsEAs`?<^n{|6
z&;m%WQY66T-gWQ&dhh40^*(0LnK|<@>#TLo?6VVI7--+4WThk_A-M;9u3>!b53Vhe
z;`TLuOi?MncBFyE+G-@#!|dzV0hz}${bwX3wW(A@r(4(Y9lz&Rfg~i<o&Ra1y}o6x
zBqWTcK#ganVfNekR%wi8IlXPuo0B?>4Yhm~yxhW+Wqj&0jl8de;s#<v(C<GietER}
zVLLaqM~UV37w;|&G}*BHm&T=cF7Y?sar5R{##@@*H=CU<15cOt&+{0<gVC^-@z&to
zp?^_yK)2O?rSOA*%d^Ne*Mi;REGYDDLXohD{=bchin)nj>iC?iUoS70znrC}%3TE=
z)?DvFnkN(KNyd4_bVy$C{69f_c^VFjot4ovBBo_!F*3~Qy*XmIB_bx4iNzZCkBnp=
zu8ruLnPugE<)><GZOzEcT=o&^S9|vCZGBUdu7yQ*eSQ6N6O+uNlM{6LB^;V2CMxRM
zpCLd`3FhbH>)fJ>>l7vMYk>3eKIIP&8`P=D%L~uV%>`_Xi@4B!Sxf{gh3?p*j;B2Z
zo;;aR0!rE<xtXQxgG?AT6F#)GD2Yf)$`*J#I25u!3DMiw*q9wpK=JapBuv#f_|Co!
zTpNa$wiXFzlGnVNth7SFn|<e1=3xpO!;;foo0C=2QAD`3hiO+Lz4|Cavzo)7yRBzD
zuXzsZg{7pj9ilHL=DrB)R6hHkyp&zD>Bi>f1ihFJ`~N0!{S%|33qB%=^irb_-W;lr
z`&X^Q5t+J1(9?IrJs^h1<;Y1m9KMrNB)s2KgU3dnE|P~%aAjp>{a4Cesr9p6#eA8>
z_afo`I7%y{8!`Vkc#5G^@YO08Z`-D}3fzqa1YVl$*lWTIiu2NN(g4?v>AwMog@r#_
zln&~>f-db_*J&~w061kGBLuUE00C1n)z^G}<we$VTtHqtSle|btwUh#1=u)AA){K0
zH$93mkNNoSQ(jEiopgV=$3`IZXYNdnzp$0jhT&VRCgqpx&d#fh0ic511GeyP>EhSF
zDdCSitKTQ;xPGd!XtvIoHPr;_!=xM}=OYdwXc<|c1R;-j!wTuM>_$58Uo&VQRpqKj
z`{;97i;lZpt8t>Jhpu}_%27!0b6=0R+^@prni#6^VN657+~m321lLZMX3EDv4x{s1
zwb{dV+>A-ty8bKT4_H|<lB$LPzvkCCKMR+?b>I=QV?%j$I9q|{)dP}nc)OF*xDqVg
za+a~J(F$_u<YSAh5)m3MFRVigWKGI*u$I)7on5tDBu{448m-Mi6@987M9y@lpz|3q
znU{FZ^&g`f2m>k3h`nbFJ*TJp%K*@^7i#y%IboxsMs}v0`lK;r+xnG{4=g3c@o_29
zno!ocsB*qlcW`;Wi?+!W>U`BZ><}5dKA00ach6YS<3}z%m!#s2>a)d9dD9o*ads7M
zyOe=^N?N1+=FMuh0tym}mr<vCP6~btF=!9xM&Eg#OO>Nh^?+rF9EM7&#qmaQUH*oj
z@8Ikn@o;3IX+COmN8dYa^v4lacW3e!|2VIOgoB6}$0qt;wJHV+$>ldS-9mJwR?eom
zY%>FY{}eDL)E7$KqkaxT8hwzo3rKx#a7q)oRokl<X8P`X$6V;V!~jepv!|zLF_Pi!
z#Jf;@crUR#fI}gGe?|OYvdU%!k?ZqMXmcR);jgG>E5iHwbdSLTp^7GAf4$w5>gmV9
zkXd~Bhv9EBHoJ1W1-=mrQpTttaBfD6Z2+h2eB?>K*G%J(_>+*WhgV~!8)BsUZTmfJ
zoka!$$Te-waE;YL`0@^l=(iL_R2hHQ1w~H^RItnaL)Z}h&3mW+gs<%2yRcI@i3w0>
z|7T@1Vb-D$394bAT`;RKhf`|a*C0FnJLRAo9NbVIgU6gKr>bJA?a;GT15CIxRsW_a
z-RM=g2VpUe3nn)oVPYS?!kDSWcCwP~0BdZN4JYpR4jr!!<qnD8g7pzws~eOH4poVJ
z>UFBDJ?QMd`4~acXH#b!@e_Jz_AQktHsp5WjO+eVch6UP%i-HERYAv<B3~q=R|+4w
ze2CcZW?r?u#0LyWtXl5ICJ?t8Vq!wrJ-dBsP7X&@b4TkM*XhsD0+emlf1x&n7Vto^
zBaZ0~&0R(BI)YzxPR>tks~?z9WxcxtXE$9EDvUTN6#vk`YpS(?EG>A0F%^v0^SDCj
z=MMhUcyXsNY$?HM>VelK;R!1gvI)sj;bfT8CHS`cSE^nd;X2oTN8$m2ZS0+`zdjDj
z)+AtnD)<)p0)YPyaF8$l_)TM8dpO?3_^k+YfT0KaC>uIpRSLB3#HPv1m7(_Y^2#c*
z`5;vXy4r>H@-PweJy#F+RttwnGyCX^;JV#0Z7!K@t4-FrhpDith~pZ$ivg*&$LCtH
z%j>ge*H=M*rPJ8SyJaoY2h1Q=w!ko#1eO(VBVD&tes2(O0ir(lY5hA%R|GUPl=Bro
zo!jznk0jZVW@6n;%;Fr%7gX({kfniLoSzKjhvF58?WEP(a4&_kd$m}+OGbX#vUP7_
z<#*9nG>kgipX7Nrpn(t*=A$2VRb~bg<E*5Gez4;$wbFFD8Q}D~5yE8D{9)w{+|bf7
zK5#_2htf9s;;+`8tTFG;zM-Kk37f``%l_LfI~<HDf%4hil-ZaT_aRp4#q6o7V!2%V
z?duuQGv0iPV*UhlioVI@&fJxyrH7AH@@iR03Ti^pOoqQWZKc8VMILe=9d8_-kLnr<
zeeSjqJY6p>9GtgQAue?kFIo5IBq#n3n4}A=a>+N0>%>k^FCn@L-d?JdmzSsWt=X)6
z<XiBwuD<IYH#`1IP2l)8vj;}c@t>8HskoR5+GkFA7Fc7$a;Mk1p^Tt60JNDh*P@~!
zCtLNFGh|Xd0Wc9I)7LZs(~sg)MItWn<Zc8fjMr!T)2hCTZ=>O1=u;7s?+n4Vn_+2i
z2kvZkDhL|#Df*S;*GWz}8QI6<Q~kApP6`|G$ZCsXsi`ZW!rGWbHSlMK?#+$bUzpUD
zu<eGa<fJ%me}UF*wc(RvYml7|Cu`89hBciyKO?K$WAjr~wq>l0R?MW1A(<P2lu6+Z
zD-#C|H$_cphHQ1P`74yIxTwrK72J$eL&_&1T^n4uf)&U-MUe^FTw>B35Cx()6o`k)
z2D*aMj&mBCk6vVacmhGs;&96#HInK6bZ^sx6+U{z`Vk*VN-xznZ}o%k+n&BTg&_Fd
zBh$l_Un)?fpz=t4>2@TyhWO)xzLzhwrq{yc@Bn|qyxv_#{tTTy*x-Q`HV@7hoH7vE
z++a2wccFj0Rf4WlkLrMgkVVW|SxX<f33txh*6qho#<L|q^k&QM7E_wsjuQ8OTmzOL
z4k7$fqUEe^m=CQm4SN&rZHQt7w4(5jug~9#Ny7RuukTK$=XMqCt1qdOaF2obzkgTN
z9d4ZWZffXhB8UUkEfp}}S<le*vt6v<V`Lrmxn9A%9JH5lWV;2`>&<u3I!P$2smL<f
zo(mA174?3=gMzLbwzuAs!3Me(qGc3lsk4T}xPK^Kvk<ni5S2GaWm~f-T&46#s($Cv
z7QPkqK23Yzny+D<r>~HONa)iMNiN9N9D2&jMmX*wBWZKbExRFz06F(rYdek-S<%n^
zWA9jh5FmLjT+@wCCGY+Trdq)ns>;v+axeRZ3X}hwE?Z(nnDfoTI4VKA5YW<zV=cQ<
z*b98rxp!ctTRosQ>dz=oChU2}vCSqtw+WLN4eFRXFpM_&0$l|cx6>W9U_^1TY{1Or
z#5k!E;1KE%Tfh;?cKY*kP08P(=+Gvp#@=k;NIysDERWQW)1ru@G3_1vx-K?~HlV~c
z%S=bxK7D*FYG*6s&B*50lu4%Y>MH5hv1|t+eQ#}85q}Pp?mKwO?63MdA{31%F?*eB
zlN|GkTy9^n|CNmxCWvq4{avf@GvgQb0`+$`&dEyzgdA?GC9FftovHF)9M2(_3ZV=E
z!urJ+k-sf>)6Yr-GVCq+HQfY^|A;GuqjrpRzN*E+C>7oqYxR*KB?5JxWOvi~r}Mo$
zH*yOxNVyNY&-RQNdLL+R(3o2!jEgO12HeV9Obq>T7>cN~jY0wFRkDVMsDQP6?qvBE
zrrZx$=dIy_{0(VT9R9;0rcXvh1a^WNWjdDI_3np*&pO{xGZKK-&8ZBG0$`vH501Jz
zNaq7%!7_2E?FNUty9cl%S&eVC2riJpfyH|XAo;V>yq~b_JA;!rNDU`p?rVzMYuJJ9
zHR1z<^WSvHA~HxZEx=i`KG0T<^^u2xc?Ty;F(+o^u)gpxPSr(EkYWYnJSFEd`*QNj
z+egT2a)CZu%>maGGl^R+AOx8(JuDlpB8F+tk!k+99ttH3!Sve;c`TIj8OeI37q+H;
zzvn_=v&1yI@bB#l5wQLj=H~8NR6IGZF>!SBRAT!APHKqm*V7&1De+Y7%KBNw-@n%l
zd5U(~E+FTS^ZmEEwzR23_6FM9V;-=#KaCwxIT!!Tb$Lx7hdR~VEqUnl>6K}D;`Pq{
zl>RIcb3N<PH(sPb{-k@z6b`ttI#B&NSqwA;g=f7|>;Tk#Pj=h!_JLN%I-tresC^!#
z^JR-$IroeKa!OlU=aLt1Ro<^tP8+6uCMwUDP${F;Md<i+`r*UCJQOq{A|W9YeTS+G
z)xK|G7o3H<-OKSL#7q93d|OM)EFsQwpn-){gCX|H1OqHcZeMEY0||?Y0*vHXhW{v2
z4;X#|VOe;ev-SpXRHK}`DW#nuU=nin&X@ccpaM(i;K$X3gCoSgAGaxuI!C|s#1~Mq
zHnykXM;OBTO=_f2w|Z>G-8qBgq9sN%E#ElX<S|+;jV13~UP@7}7pQGTKk;*3r#8mM
zlL)G-j$@^sSwP>seX34$=RLWPvVd(jQB_Gfb+QLdo~aO})a6Q>omTS3{$Bf3&p`II
z%o;g}OYdv)Osxm<aY4g}_A>>{@Y0hv(4=|w2mMegRNX%$dzee^R`{|iVfME*im+pN
zf6luq;JEIjWHrAH*jq5)gEe3hzg5V#gr_H=5laB8r;&xas8Ycg#*EUnI};(b-N)<*
z^+lx{3;vv0g_h>YVw_3JpyQ8zs_|?|DM?hDQ#H)JV$z!rqc4e0{=Y$vwvW#kYTs`%
zERk;-{1#7EXk5A3rG+D@7_oFZSd5@rDrQGs9xD|^hH1V&<e!dfwP4~jCBXl<s{<ab
zsD0R5ym_!~Q`0{cJugVE`o>~fae9a(zTCCF+;lM(v@)1GQ`}=U9TIs>f^W}0wdrTs
zGd#@+Ka?~a_4)Gnoqi`J<ThjWQ-6G5%<8?LPic{eMZd7qH+b2DwZdp0jPpR}O|T<L
z<#Nt)`meVq?6C`{o=pnXO-)ncvQJ5-1l+U1o4*hIsjGJ^X#}aJe7wCmBm)WI>ESol
zMz<V0tc6TcBZ`3WY4_CC16Gqb4j_E1bHf47S3c|OyP*uraS0z!4}l67ld@+MRyiRp
zd^h!LX}Xh6E4zPU=(>v<8z;R$>b2AL2!vqh$aC5UZjBu{2~(d+`tbCSrLF|J^oP99
zxZkgKymmRGC3&auP>HP4tc6}I4qShOAmwc%_M>)Tda%q1{O3f8(-E54X6YMTCzbgP
zISDI(2`XITXSA+=I}N23ZliSJN`GE^rR7|mq4WI7W>0sbbx!(g?Z*1wS$<<dez$xk
z&i^RyPHtyo<cKG(=WF|x&>SeGswJ8B=L(rGd2thD@O!|D4o+56oPse)kL|wS*qu?2
z)CTXdm;10(Vr|aTv-K@L2l21qgMd6`p@Wv%1-t@`T1JsVh(0Q9zo%i?FN)Ac|7%cc
zKZgrdsvy3W!kIx;C4v1tF8mpzKp)Wc&?vRB(0<dtG@l87m6dmX6fHp9j|PswO?-4B
zKB>F+g|jRsV%bsz5O%uVeDO-=qr<NV`Zt#z&J?^xbB0rU+a2SU2OA6uRg~38CK($?
z4N8=dU*owtzCmn!t7`7$cLgIQSN36G@02FxE}|RTGrPbc89^>3syAN}qBXm89djFH
z&kjJNppja_P;+D|S2(8|LH-!jR68x(DAUGq;vJ3VR>QrjwD)9lV!RNHh$4*j-CgNl
zif+|qs<sl+mG#PK@xQSXIWr*^`}<2NjXdM#&wdwd{aPSu??Pq0N_iX6#av`@<I&gU
zgoftb){}zT%7mE2p7*b3ntW3SZbmg{VjrPzH%npqId)k?b61Y`xr*m;C;**hZpySY
zf-fm#?~DeY1E4d!h5Uj1dL)mF^{V;`hy?!8SYsHQ!VBK(rP1|78Y!}F2s9Px98e}|
zA!pL7gF|)e9`F3KWDSYp*5|rvI+800HbF4e*syw1d>iiNJ^HsZ(<HUXrJ>Q>p|iy@
z(r}yst^WJ6xWuEcXnszBs@hIW_iE+Dm=MxuIn_L0u2H2;qf>`t@|kPXy>0VT(9Xyh
z-VW~MXnriLx=Va<j74vY3(;(4{dh~7IcXlL7UggI5>M^|HtV_`(B*cUV=RAmG7eQa
z(-Hp^*S!>_?zNffUJOS+AGnI-zA5S`;CLEbWzxf|jopfe*L1#aywX>s){FWSTT~1X
z5p(SvO}iU}xIFrp2(U7?=}RnPG3~onz5Y*7L=Wg(W$~yG#*8mm_!`-`_GF1B0%T4n
zY)sYMW8`B$Znyhr8ZD749<m+ry-w0Yva;E0T`M_nheva{ikJYOo#P>T?f%y#H~*=5
z{28J#qJoniYS@iGEKa0XrLc_u?>f>+3Kj!yc}WD!%E+1gjhcmqn&y9%r)u9WlBdVt
z;wpGRjufuVzOXknf~N1~BmgPBhygzZ&l`Hu8eicMJO<75qN1XMWHx#V&TDKv9N+St
zDA<?&Vss9<xQ3!5GI*lvU4)nxs%ZU34DuD-)VK}bLta6mgall_;qo7*(ik$<q`@~S
zh{r9ONvo<VIajCr>X$D+AeY0C5)u;bJ#=ja+Y~(7Y!QY=Py*kzAf{=QLBsgHh>Ya_
zFT@0~8B24fHLa@3UiWk@S1u1ZTx(xsBoNOkVbZ79%VH(oE1Km1m9kG3+mhF!D+y53
LK%-jC@!fv_7)ulw

literal 0
HcmV?d00001


From 55f36a70975e75498572a3eb1937374f5e83a83d Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 28 May 2024 13:40:14 -0700
Subject: [PATCH 19/26] Update docs.

---
 .../generateddocs/hubNetworking.bicep.md           |  2 +-
 .../generateddocs/policyExemptions.bicep.md        | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
index 384701450..de0ae2996 100644
--- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
+++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
@@ -52,7 +52,7 @@ parVpnGatewayEnabled | No       | Switch to enable/disable VPN virtual network g
 parVpnGatewayConfig | No       | Configuration for VPN virtual network gateway to be deployed.
 parExpressRouteGatewayEnabled | No       | Switch to enable/disable ExpressRoute virtual network gateway deployment.
 parExpressRouteGatewayConfig | No       | Configuration for ExpressRoute virtual network gateway to be deployed.
-parVirtualNetworkGatewayLock | No       | Resource Lock Configuration for ExpressRoute Virtual Network Gateway.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parVirtualNetworkGatewayLock | No       | Resource Lock Configuration for ExpressRoute Virtual Network Gateway.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parTags        | No       | Tags you would like to be applied to all resources in this module.
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
 parBastionOutboundSshRdpPorts | No       | Define outbound destination ports or ranges for SSH or RDP that you want to access from Azure Bastion.
diff --git a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
index 7ad2eb098..f065a8b6b 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
+++ b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
@@ -18,13 +18,13 @@ parExemptionDisplayName | Yes      | The display name of the exemption.
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
 
-SLZ Policy Set Assignment id
+The ID of the policy set assignment for which the exemption will be established.
 
 ### parExemptionCategory
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Exemption Category Default - Waiver
+The exemption category to be used.
 
 - Default value: `Waiver`
 
@@ -34,13 +34,13 @@ Exemption Category Default - Waiver
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
 
-Description
+The description which provides context for the policy exemption.
 
 ### parAssignmentScopeValidation
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Assignment Scope
+Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.
 
 - Default value: `Default`
 
@@ -50,19 +50,19 @@ Assignment Scope
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
 
-Reference ids of Policies to be exempted
+List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.
 
 ### parExemptionName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
 
-Exemption Name
+The resource name of the policy exemption.
 
 ### parExemptionDisplayName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
 
-Exemption Display Name
+The display name of the exemption.
 
 ## Snippets
 

From ed9470c6bdde70e94182a360fe87ba670be8d32f Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 28 May 2024 14:17:59 -0700
Subject: [PATCH 20/26] Update hubNetworking.bicep.md

---
 .../generateddocs/hubNetworking.bicep.md           | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
index de0ae2996..a4d61f5ec 100644
--- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
+++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
@@ -9,11 +9,11 @@ Parameter name | Required | Description
 parLocation    | No       | The Azure Region to deploy the resources into.
 parCompanyPrefix | No       | Prefix value which will be prepended to all resource names.
 parHubNetworkName | No       | Name for Hub Network.
-parGlobalResourceLock | No       | Global Resource Lock Configuration used for all resources deployed in this module.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parGlobalResourceLock | No       | Global Resource Lock Configuration used for all resources deployed in this module.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parHubNetworkAddressPrefix | No       | The IP address range for Hub Network.
 parSubnets     | No       | The name, IP address range, network security group, route table and delegation serviceName for each subnet in the virtual networks.
 parDnsServerIps | No       | Array of DNS Server IP addresses for VNet.
-parVirtualNetworkLock | No       | Resource Lock Configuration for Virtual Network.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parVirtualNetworkLock | No       | Resource Lock Configuration for Virtual Network.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parPublicIpSku | No       | Public IP Address SKU.
 parPublicIpPrefix | No       | Optional Prefix for Public IPs. Include a succedent dash if required. Example: prefix-
 parPublicIpSuffix | No       | Optional Suffix for Public IPs. Include a preceding dash if required. Example: -suffix
@@ -22,10 +22,10 @@ parAzBastionName | No       | Name Associated with Bastion Service.
 parAzBastionSku | No       | Azure Bastion SKU.
 parAzBastionTunneling | No       | Switch to enable/disable Bastion native client support. This is only supported when the Standard SKU is used for Bastion as documented here: https://learn.microsoft.com/azure/bastion/native-client
 parAzBastionNsgName | No       | Name for Azure Bastion Subnet NSG.
-parBastionLock | No       | Resource Lock Configuration for Bastion.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parBastionLock | No       | Resource Lock Configuration for Bastion.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parDdosEnabled | No       | Switch to enable/disable DDoS Network Protection deployment.
 parDdosPlanName | No       | DDoS Plan Name.
-parDdosLock    | No       | Resource Lock Configuration for DDoS Plan.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parDdosLock    | No       | Resource Lock Configuration for DDoS Plan.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parAzFirewallEnabled | No       | Switch to enable/disable Azure Firewall deployment.
 parAzFirewallName | No       | Azure Firewall Name.
 parAzFirewallPoliciesEnabled | No       | Switch to enable/disable Azure Firewall Policies deployment.
@@ -38,16 +38,16 @@ parAzErGatewayAvailabilityZones | No       | Availability Zones to deploy the VP
 parAzVpnGatewayAvailabilityZones | No       | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP.
 parAzFirewallDnsProxyEnabled | No       | Switch to enable/disable Azure Firewall DNS Proxy.
 parAzFirewallDnsServers | No       | Array of custom DNS servers used by Azure Firewall
-parAzureFirewallLock | No       |  Resource Lock Configuration for Azure Firewall.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parAzureFirewallLock | No       |  Resource Lock Configuration for Azure Firewall.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parHubRouteTableName | No       | Name of Route table to create for the default route of Hub.
 parDisableBgpRoutePropagation | No       | Switch to enable/disable BGP Propagation on route table.
-parHubRouteTableLock | No       | Resource Lock Configuration for Hub Route Table.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parHubRouteTableLock | No       | Resource Lock Configuration for Hub Route Table.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parPrivateDnsZonesEnabled | No       | Switch to enable/disable Private DNS Zones deployment.
 parPrivateDnsZonesResourceGroup | No       | Resource Group Name for Private DNS Zones.
 parPrivateDnsZones | No       | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones
 parPrivateDnsZoneAutoMergeAzureBackupZone | No       | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.
 parVirtualNetworkIdToLinkFailover | No       | Resource ID of Failover VNet for Private DNS Zone VNet Failover Links
-parPrivateDNSZonesLock | No       | Resource Lock Configuration for Private DNS Zone(s).  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.
+parPrivateDNSZonesLock | No       | Resource Lock Configuration for Private DNS Zone(s).  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parVpnGatewayEnabled | No       | Switch to enable/disable VPN virtual network gateway deployment.
 parVpnGatewayConfig | No       | Configuration for VPN virtual network gateway to be deployed.
 parExpressRouteGatewayEnabled | No       | Switch to enable/disable ExpressRoute virtual network gateway deployment.

From e08da2aecfa749fb855d7897cf574bd450774b35 Mon Sep 17 00:00:00 2001
From: VeronicaSea <69697690+VeronicaSea@users.noreply.github.com>
Date: Tue, 28 May 2024 14:28:10 -0700
Subject: [PATCH 21/26] Update hubNetworking.bicep.md

---
 .../hubNetworking/generateddocs/hubNetworking.bicep.md        | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
index a4d61f5ec..b19ca61f2 100644
--- a/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
+++ b/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md
@@ -504,6 +504,10 @@ outPrivateDnsZonesNames | array |
 outDdosPlanResourceId | string |
 outHubVirtualNetworkName | string |
 outHubVirtualNetworkId | string |
+outHubRouteTableId | string |
+outHubRouteTableName | string |
+outBastionNsgId | string |
+outBastionNsgName | string |
 
 ## Snippets
 

From 0fdccc1911b3ed63d57d7e48564083c599638c8b Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 28 May 2024 14:29:16 -0700
Subject: [PATCH 22/26] Add output for RouteTable and Network Security Group.

---
 infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
index 925a293cd..ec7177f6c 100644
--- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
+++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep
@@ -1071,3 +1071,7 @@ output outPrivateDnsZonesNames array = (parPrivateDnsZonesEnabled ? modPrivateDn
 output outDdosPlanResourceId string = resDdosProtectionPlan.id
 output outHubVirtualNetworkName string = resHubVnet.name
 output outHubVirtualNetworkId string = resHubVnet.id
+output outHubRouteTableId string = parAzFirewallEnabled ? resHubRouteTable.id : ''
+output outHubRouteTableName string = parAzFirewallEnabled ? resHubRouteTable.name : ''
+output outBastionNsgId string = parAzBastionEnabled ? resBastionNsg.id : ''
+output outBastionNsgName string = parAzBastionEnabled ? resBastionNsg.name : ''

From 97d3b329aaac3a70d79d65ed7bdf5f6c0fa04fa0 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Tue, 28 May 2024 15:55:00 -0700
Subject: [PATCH 23/26] Remove extra space.

---
 .../bicep/modules/policy/exemptions/policyExemptions.bicep      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
index e99ff92f8..276d46dd5 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
+++ b/infra-as-code/bicep/modules/policy/exemptions/policyExemptions.bicep
@@ -10,7 +10,7 @@ param parPolicyAssignmentId string
   'Waiver'
   'Mitigated'
 ])
-@sys.description(' The exemption category to be used.')
+@sys.description('The exemption category to be used.')
 param parExemptionCategory string = 'Waiver'
 
 @sys.description('The description which provides context for the policy exemption.')

From 86aebf9dd3cf3af53dd9463d152263ebb64b553f Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Wed, 29 May 2024 10:09:19 -0700
Subject: [PATCH 24/26] Remove extra space.

---
 .../policy/exemptions/generateddocs/policyExemptions.bicep.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
index f065a8b6b..7478c978f 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
+++ b/infra-as-code/bicep/modules/policy/exemptions/generateddocs/policyExemptions.bicep.md
@@ -7,7 +7,7 @@ Module used to create a policy exemption for a policy assignment in a management
 Parameter name | Required | Description
 -------------- | -------- | -----------
 parPolicyAssignmentId | Yes      | The ID of the policy set assignment for which the exemption will be established.
-parExemptionCategory | No       |  The exemption category to be used.
+parExemptionCategory | No       | The exemption category to be used.
 parDescription | Yes      | The description which provides context for the policy exemption.
 parAssignmentScopeValidation | No       | Sets the scope to permit an exemption to bypass this validation and be created beyond the assignment scope.
 parPolicyDefinitionReferenceIds | Yes      | List used to specify which policy definition(s) in the initiative the subject resource has an exemption to.

From aa67230a40d90c53c5b818cb8a1cacc97eb1f359 Mon Sep 17 00:00:00 2001
From: Zhiyan Xu <zhiyxu@microsoft.com>
Date: Wed, 29 May 2024 15:16:33 -0700
Subject: [PATCH 25/26] Add policy exemption all and mini parameters json
 files.

---
 .../bicep/modules/policy/exemptions/README.md | 103 ++----------------
 .../policyExemptions.parameters.all.json      |  27 +++++
 .../policyExemptions.parameters.min.json      |  21 ++++
 3 files changed, 58 insertions(+), 93 deletions(-)
 create mode 100644 infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.all.json
 create mode 100644 infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.min.json

diff --git a/infra-as-code/bicep/modules/policy/exemptions/README.md b/infra-as-code/bicep/modules/policy/exemptions/README.md
index 7526626d2..3b7014660 100644
--- a/infra-as-code/bicep/modules/policy/exemptions/README.md
+++ b/infra-as-code/bicep/modules/policy/exemptions/README.md
@@ -1,105 +1,22 @@
-# ALZ Bicep - Management Group Policy Exemptions
+# Module: Policy Exemptions
 
-Module used to create a policy exemption for a policy assignment in a management group
+This module defines a Policy Exemptions.
 
-## Parameters
-
-Parameter name | Required | Description
--------------- | -------- | -----------
-parPolicyAssignmentId | Yes      | SLZ Policy Set Assignment id
-parExemptionCategory | No       | Exemption Category Default - Waiver
-parDescription | Yes      | Description
-parAssignmentScopeValidation | No       | Assignment Scope
-parPolicyDefinitionReferenceIds | Yes      | Reference ids of Policies to be exempted
-parExemptionName | Yes      | Exemption Name
-parExemptionDisplayName | Yes      | Exemption Display Name
-
-### parPolicyAssignmentId
-
-![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
-
-SLZ Policy Set Assignment id
-
-### parExemptionCategory
-
-![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
-
-Exemption Category Default - Waiver
-
-- Default value: `Waiver`
-
-- Allowed values: `Waiver`, `Mitigated`
-
-### parDescription
-
-![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+Module deploys the following resources:
 
-Description
+- Policy Exemptions
 
-### parAssignmentScopeValidation
-
-![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
-
-Assignment Scope
-
-- Default value: `Default`
-
-- Allowed values: `Default`, `DoNotValidate`
-
-### parPolicyDefinitionReferenceIds
-
-![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
-
-Reference ids of Policies to be exempted
-
-### parExemptionName
-
-![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
-
-Exemption Name
-
-### parExemptionDisplayName
+## Parameters
 
-![Parameter Setting](https://img.shields.io/badge/parameter-required-orange?style=flat-square)
+- [Link to Parameters](generateddocs/policyExemptions.bicep.md)
 
-Exemption Display Name
+## Outputs
 
-## Snippets
+None
 
-### Parameter file
+## Deployment
 
-```json
-{
-    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "metadata": {
-        "template": "infra-as-code/bicep/modules/policy/exemptions/policyExemptions.json"
-    },
-    "parameters": {
-        "parPolicyAssignmentId": {
-            "value": ""
-        },
-        "parExemptionCategory": {
-            "value": "Waiver"
-        },
-        "parDescription": {
-            "value": ""
-        },
-        "parAssignmentScopeValidation": {
-            "value": "Default"
-        },
-        "parPolicyDefinitionReferenceIds": {
-            "value": []
-        },
-        "parExemptionName": {
-            "value": ""
-        },
-        "parExemptionDisplayName": {
-            "value": ""
-        }
-    }
-}
-```
+Module is intended to be called from other modules as a reusable resource.
 
 ## Bicep Visualizer
 
diff --git a/infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.all.json b/infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.all.json
new file mode 100644
index 000000000..c1b6c34e5
--- /dev/null
+++ b/infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.all.json
@@ -0,0 +1,27 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "parPolicyAssignmentId": {
+            "value": "/providers/microsoft.management/managementgroups/policyAssignmentScopeName/providers/microsoft.authorization/policyassignments/policyAssignmentName"
+        },
+        "parExemptionCategory": {
+            "value": "Waiver"
+        },
+        "parDescription": {
+            "value": "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
+        },
+        "parAssignmentScopeValidation": {
+            "value": "Default"
+        },
+        "parPolicyDefinitionReferenceIds": {
+            "value": ["AllowedLocationsForResourceGroups", "AllowedLocations"]
+        },
+        "parExemptionName": {
+            "value": "Confidential-Corp-Location-Exemption"
+        },
+        "parExemptionDisplayName": {
+            "value": "Confidential Corp Location Exemption"
+        }
+    }
+}
diff --git a/infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.min.json b/infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.min.json
new file mode 100644
index 000000000..fd31fe468
--- /dev/null
+++ b/infra-as-code/bicep/modules/policy/exemptions/parameters/policyExemptions.parameters.min.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+      "parPolicyAssignmentId": {
+          "value": "/providers/microsoft.management/managementgroups/policyAssignmentScopeName/providers/microsoft.authorization/policyassignments/policyAssignmentName"
+      },
+      "parDescription": {
+          "value": "Exempt the confidential corp management group from the SLZ Global Policies location policies. The confidential management groups have their own location restrictions and this may result in a conflict if both sets are included."
+      },
+      "parPolicyDefinitionReferenceIds": {
+          "value": ["AllowedLocationsForResourceGroups", "AllowedLocations"]
+      },
+      "parExemptionName": {
+          "value": "Confidential-Corp-Location-Exemption"
+      },
+      "parExemptionDisplayName": {
+          "value": "Confidential Corp Location Exemption"
+      }
+  }
+}

From 3624fe0986fbc4267be58bf911813336e38d7c4b Mon Sep 17 00:00:00 2001
From: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
Date: Thu, 30 May 2024 22:48:05 -0500
Subject: [PATCH 26/26] Add condition to policy exemption deployments

---
 .../assignments/alzDefaults/alzDefaultPolicyAssignments.bicep | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
index 93e4e865f..382517bdb 100644
--- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
+++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep
@@ -1657,7 +1657,7 @@ module modPolicyAssignmentSandboxEnforceAlz '../../../policy/assignments/policyA
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.bicep' = {
+module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.bicep' = if (parLandingZoneMgConfidentialEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {
@@ -1671,7 +1671,7 @@ module modPolicyExemptionsConfidentialOnline '../../exemptions/policyExemptions.
 }
 
 // The following module is used to deploy the policy exemptions
-module modPolicyExemptionsConfidentialCorp '../../exemptions/policyExemptions.bicep' = {
+module modPolicyExemptionsConfidentialCorp '../../exemptions/policyExemptions.bicep' = if (parLandingZoneMgConfidentialEnable) {
   scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp)
   name: take('${parTopLevelManagementGroupPrefix}-deploy-policy-exemptions${parTopLevelManagementGroupSuffix}', 64)
   params: {