Azure · jtracey93 · May 7, 2024 · Feb 16, 2024 · Feb 16, 2024 · Feb 16, 2024
diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md
@@ -28,6 +28,7 @@ Policies being deprecated:
 | Public network access should be disabled for MariaDB<br>ID: [`Deny-PublicEndpoint-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicEndpoint-MariaDB.html) | [`fdccbe47-f3e3-4213-ad5d-ea459b2fa077`](https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html) | Deprecating policies for MariaDB see [`ALZ Policy FAQ & Tips`](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies-FAQ.md). |
 | Diagnostic Settings for MariaDB to Log Analytics Workspace <br>ID: [`Deploy-Diagnostics-MariaDB`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Diagnostics-MariaDB.html) | Deprecating due to service retirement | Deprecating policies for MariaDB, see [`ALZ Policy FAQ & Tips`](./ALZ-Policies-FAQ) |
 | Deploy SQL Database Vulnerability Assessments<br>ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix |
+| Deploy Microsoft Defender for Cloud configuration<br>ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes |
 
 ### More Information
 

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -55,6 +55,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Added the [Configure Recovery Services vaults to use private DNS zones for backup](https://www.azadvertizer.net/azpolicyadvertizer/af783da1-4ad1-42be-800d-d19c70038820.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
 - Added the [Configure a private DNS Zone ID for table groupID](https://www.azadvertizer.net/azpolicyadvertizer/028bbd88-e9b5-461f-9424-a1b63a7bee1a.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
 - Added the [Configure a private DNS Zone ID for table_secondary groupID](https://www.azadvertizer.net/azpolicyadvertizer/c1d634a5-f73d-4cdd-889f-2cc7006eb47f.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment.
+- Removed Defender for Cloud for DNS, as this is now deprecated and is included in Defender for Servers. Deprecated [Deploy-MDFC-Config](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) initiative, and superseded with [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to minimize breaking change impact on existing deployments.
 - Added new initiative and default assignment for [Enforce-Backup](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Backup.html) scoped to the Landing Zones and Platform management groups in Audit mode:
   - Added the [[Preview]: Immutability must be enabled for backup vaults](https://www.azadvertizer.net/azpolicyadvertizer/2514263b-bc0d-4b06-ac3e-f262c0979018.html) built-in policy
   - Added the [[Preview]: Immutability must be enabled for Recovery Services vaults](https://www.azadvertizer.net/azpolicyadvertizer/d6f6f560-14b7-49a4-9fc8-d2c3a9807868.html) built-in policy
@@ -104,6 +105,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Bug fix for Portal Accelerator. userAssignedIdentityResourceGroup has been added as output for the Portal UI, this fixes deploying the Resource Group with a custom name.
 - Bug fix for Portal Accelerator. `subscriptionIds` now uses lambda function to obtain the subscription IDs from `corpConnectedLzSubscriptionId`. This fixes the Invalid Template error when selecting a corp connected landing zone deployment.
 - Bug fix for Portal Accelerator. `connectivitySubscriptionId` is now skipped when no networking components are deployed. This fixes an InvalidTemplateDeployment error deploying the Resource Group for UAMI.
+- From Portal Accelerator: removed the options to select VM vulnerability assessment provider and to select Defender for Cloud for DNS. These are now default to the recommended settings.
 
 ### AMA Update for the Portal Accelerator
 

diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
@@ -624,26 +624,6 @@
                                 ]
                             }
                         },
-                        {
-                            "name": "vulnerabilityAssessmentProvider",
-                            "type": "Microsoft.Common.OptionsGroup",
-                            "label": "Choose the Microsoft Defender for Cloud for servers vulnerability assessments provider",
-                            "defaultValue": "Microsoft Defender vulnerability management (recommended)",
-                            "toolTip": "Choose the preferred vulnerability assessment provider for Microsoft Defender for Cloud for servers vulnerability assessments.<br>Uses the custom initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html\">Deploy Microsoft Defender for Cloud configuration</a>.",
-                            "visible": "[and(equals(steps('management').enableAsc,'Yes'), equals(steps('management').enableAscForServersVulnerabilityAssessments,'DeployIfNotExists'))]",
-                            "constraints": {
-                                "allowedValues": [
-                                    {
-                                        "label": "Microsoft Defender for Cloud integrated Qualys scanner",
-                                        "value": "default"
-                                    },
-                                    {
-                                        "label": "Microsoft Defender vulnerability management (recommended)",
-                                        "value": "mdeTvm"
-                                    }
-                                ]
-                            }
-                        },
                         {
                             "name": "enableAscForOssDb",
                             "type": "Microsoft.Common.OptionsGroup",
@@ -5489,7 +5469,6 @@
                 "emailContactAsc": "[steps('management').emailContactAsc]",
                 "enableAscForServers": "[steps('management').enableAscForServers]",
                 "enableAscForServersVulnerabilityAssessments": "[steps('management').enableAscForServersVulnerabilityAssessments]",
-                "vulnerabilityAssessmentProvider": "[steps('management').vulnerabilityAssessmentProvider]",
                 "enableAscForOssDb": "[steps('management').enableAscForOssDb]",
                 "enableAscForCosmosDbs": "[steps('management').enableAscForCosmosDbs]",
                 "enableAscForAppServices": "[steps('management').enableAscForAppServices]",
@@ -5500,7 +5479,6 @@
                 "enableAscForArm": "[steps('management').enableAscForArm]",
                 "enableAscForApis": "[steps('management').enableAscForApis]",
                 "enableAscForCspm": "[steps('management').enableAscForCspm]",
-                "enableAscForDns": "[steps('management').enableAscForDns]",
                 "enableAscForContainers": "[steps('management').enableAscForContainers]",
                 "enableMDEndpoints": "[steps('management').enableMDEndpoints]",
                 "enableMonitorBaselines": "[steps('monitor').enableMonitorBaselines]",

diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
@@ -106,14 +106,6 @@
                 "Disabled"
             ]
         },
-        "vulnerabilityAssessmentProvider": {
-            "type": "string",
-            "defaultValue": "mdeTvm",
-            "allowedValues": [
-                "default",
-                "mdeTvm"
-            ]
-        },
         "enableAscForOssDb": {
             "type": "string",
             "allowedValues": [
@@ -194,14 +186,6 @@
             ],
             "defaultValue": "Disabled"
         },
-        "enableAscForDns": {
-            "type": "string",
-            "allowedValues": [
-                "Disabled",
-                "DeployIfNotExists"
-            ],
-            "defaultValue": "Disabled"
-        },
         "enableAscForContainers": {
             "type": "string",
             "allowedValues": [
@@ -2481,9 +2465,6 @@
                     "enableAscForServersVulnerabilityAssessments": {
                         "value": "[parameters('enableAscForServersVulnerabilityAssessments')]"
                     },
-                    "vulnerabilityAssessmentProvider": {
-                        "value": "[parameters('vulnerabilityAssessmentProvider')]"
-                    },
                     "enableAscForSql": {
                         "value": "[parameters('enableAscForSql')]"
                     },
@@ -2511,9 +2492,6 @@
                     "enableAscForCspm": {
                         "value": "[parameters('enableAscForCspm')]"
                     },
-                    "enableAscForDns": {
-                        "value": "[parameters('enableAscForDns')]"
-                    },
                     "enableAscForOssDb": {
                         "value": "[parameters('enableAscForOssDb')]"
                     },
@@ -2698,9 +2676,6 @@
                     },
                     "enableAscForArm": {
                         "value": "[parameters('enableAscForArm')]"
-                    },
-                    "enableAscForDns": {
-                        "value": "[parameters('enableAscForDns')]"
                     }
                 }
             }

diff --git a/eslzArm/eslzArm.test.param.json b/eslzArm/eslzArm.test.param.json
@@ -47,9 +47,6 @@
         "enableAscForServersVulnerabilityAssessments": {
             "value": "DeployIfNotExists"
         },
-        "vulnerabilityAssessmentProvider": {
-            "value": "default"
-        },
         "enableAscForOssDb": {
             "value": "DeployIfNotExists"
         },
@@ -80,9 +77,6 @@
         "enableAscForCspm": {
             "value": "DeployIfNotExists"
         },
-        "enableAscForDns": {
-            "value": "DeployIfNotExists"
-        },
         "enableAscForContainers": {
             "value": "DeployIfNotExists"
         },

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json
@@ -48,14 +48,6 @@
             ],
             "defaultValue": "Disabled"            
         },
-        "vulnerabilityAssessmentProvider": {
-            "type": "string",
-            "allowedValues": [
-                "default",
-                "mdeTvm"
-            ],
-            "defaultValue": "mdeTvm"            
-        },
         "enableAscForSql": {
             "type": "string",
             "allowedValues": [
@@ -112,14 +104,6 @@
             ],
             "defaultValue": "Disabled"            
         },
-        "enableAscForDns": {
-            "type": "string",
-            "allowedValues": [
-                "Disabled",
-                "DeployIfNotExists"
-            ],
-            "defaultValue": "Disabled"            
-        },
         "enableAscForOssDb": {
             "type": "string",  
             "allowedValues": [
@@ -155,7 +139,7 @@
     },
     "variables": {
         "policyDefinitions": {
-            "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config')]"
+            "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319')]"
         },
         "policyAssignmentNames": {
             "azureSecurity": "Deploy-MDFC-Config",
@@ -210,9 +194,6 @@
                     "enableAscForServersVulnerabilityAssessments": {
                         "value": "[parameters('enableAscForServersVulnerabilityAssessments')]"
                     },
-                    "vulnerabilityAssessmentProvider": {
-                        "value": "[parameters('vulnerabilityAssessmentProvider')]"
-                    },
                     "enableAscForSql": {
                         "value": "[parameters('enableAscForSql')]"
                     },
@@ -234,9 +215,6 @@
                     "enableAscForArm": {
                         "value": "[parameters('enableAscForArm')]"
                     },
-                    "enableAscForDns": {
-                        "value": "[parameters('enableAscForDns')]"
-                    },
                     "enableAscForOssDb": {
                         "value": "[parameters('enableAscForOssDb')]"
                     },

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json
@@ -5,12 +5,14 @@
     "scope": null,
     "properties": {
         "policyType": "Custom",
-        "displayName": "Deploy Microsoft Defender for Cloud configuration",
-        "description": "Deploy Microsoft Defender for Cloud configuration",
+        "displayName": "[Deprecated]: Deploy Microsoft Defender for Cloud configuration",
+        "description": "Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html",
         "metadata": {
-            "version": "7.0.0",
+            "version": "7.0.0-deprecated",
             "category": "Security Center",
             "source": "https://github.com/Azure/Enterprise-Scale/",
+            "deprecated": true,
+            "supersededBy": "Deploy-MDFC-Config_20240319",
             "alzCloudEnvironments": [
                 "AzureCloud"
             ]