Support for disabling policy enforcement for policy sets assignments (#120)

* Add policy enforcement mode for built-in policy set assignments * Add policy enforcement mode for custom policy set assignments * add branch config for testing * Test: set enforcementMode = DoNotEnforce * Set enforcementMode = Default * Update policy examples * Update policy authoring guide with instructions for disabling policy set enforcement * Update title * Remove branch config used for testing
2021-12-10 23:18:05 -05:00 · 2021-12-10 23:18:05 -05:00 · c6931b44e1
--- a/docs/policy/authoring-guide.md
+++ b/docs/policy/authoring-guide.md
@ -15,6 +15,7 @@ This reference implementation uses Built-In and Custom Policies to provide guard
  * [Remove built-in policy set assignment](#remove-built-in-policy-set-assignment)
    * [Step 1: Remove built-in policy set assignment from Azure DevOps Pipeline](#step-1-remove-built-in-policy-set-assignment-from-azure-devops-pipeline)
    * [Step 2: Remove built-in policy set assignment's IAM assignments](#step-2-remove-built-in-policy-set-assignments-iam-assignments)
+  * [Enable or disable built-in policy set enforcement](#enable-or-disable-built-in-policy-set-enforcement)
 * [Custom policies](#custom-policies)
  * [New custom policy definition](#new-custom-policy-definition)
    * [Step 1: Create policy definition template](#step-1-create-policy-definition-template)
@ -40,6 +41,7 @@ This reference implementation uses Built-In and Custom Policies to provide guard
    * [Step 2: Remove custom policy set assignment](#step-2-remove-custom-policy-set-assignment)
    * [Step 3: Remove custom policy set from Azure DevOps Pipeline](#step-3-remove-custom-policy-set-from-azure-devops-pipeline)
    * [Step 4: Remove custom policy set assignment's IAM assignments](#step-4-remove-custom-policy-set-assignments-iam-assignments)
+  * [Enable or disable custom policy set enforcement](#enable-or-disable-custom-policy-set-enforcement)
  * [Auto generate custom Diagnostic Settings policies for PaaS services](#auto-generate-custom-diagnostic-settings-policies-for-paas-services)

 ---
@ -140,6 +142,13 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
      @description('Management Group scope for the policy assignment.')
      param policyAssignmentManagementGroupId string

+      @allowed([
+        'Default'
+        'DoNotEnforce'
+      ])
+      @description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+      param enforcementMode string = 'Default'
+
      // Start - Any custom parameters required for your policy assignment
      param ...
      // End - Any custom parameters required for your policy assignment
@ -171,7 +180,7 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
          }

          // The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.
-          enforcementMode: 'Default'
+          enforcementMode: enforcementMode
        }
        identity: {
          type: 'SystemAssigned'
@ -202,6 +211,13 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
      @description('Management Group scope for the policy assignment.')
      param policyAssignmentManagementGroupId string

+      @allowed([
+        'Default'
+        'DoNotEnforce'
+      ])
+      @description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+      param enforcementMode string = 'Default'
+
      @description('Log Analytics Resource Id to integrate Microsoft Defender for Cloud.')
      param logAnalyticsWorkspaceId string

@ -236,7 +252,7 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
              value: listOfMembersToIncludeInWindowsVMAdministratorsGroup
            }
          }
-          enforcementMode: 'Default'
+          enforcementMode: enforcementMode
        }
        identity: {
          type: 'SystemAssigned'
@ -270,6 +286,9 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
            "policyAssignmentManagementGroupId": {
                "value": "{{var-topLevelManagementGroupName}}"
            },
+            "enforcementMode": {
+                "value": "Default"
+            },
            "EXTRA_POLICY_ASSIGNMENT_PARAMETER_NAME_1": {
                "value": "EXTRA_POLICY_ASSIGNMENT_PARAMETER_VALUE_1"
            },
@ -290,6 +309,9 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
            "policyAssignmentManagementGroupId": {
                "value": "{{var-topLevelManagementGroupName}}"
            },
+            "enforcementMode": {
+                "value": "Default"
+            },
            "logAnalyticsWorkspaceId": {
                "value": "{{var-logging-logAnalyticsWorkspaceId}}"
            },
@ -332,7 +354,6 @@ Execute `Azure DevOps Policy pipeline` to deploy.  The policy set assignment wil

 > **Automation does not remove an existing policy set assignment.  Removing the policy set assignment from the Azure DevOps pipeline ensures that it's no longer created.  Any existing policy set assignments must be deleted manually.**

-
 **Steps**

 * [Step 1: Remove built-in policy set assignment from Azure DevOps Pipeline](#step-1-remove-built-in-policy-set-assignment-from-azure-devops-pipeline)
@ -358,6 +379,29 @@ Execute `Azure DevOps Policy pipeline` to deploy.  The policy set assignment wil

 ---

+### Enable or disable built-in policy set enforcement
+
+You may want to evaluate the compliance in your environment without any automatic remediation, either through `DeployIfNotExists` or `modify` policies.  To support this scenario, all policy set assignments support an `enforcementMode` setting.  This can be set to either: `Default` or `DoNotEnforce`:
+
+* `Default` = enable policy set enforcement
+* `DoNotEnforce` = disable policy set enforcement
+
+Please review guidance and expected behaviour of these settings prior to making any modification:
+
+* [Cloud Adoption Framework - Adopting policy driven guardrails](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance)
+* [Azure Policy Enforcement Mode](https://aka.ms/enforcementMode)
+
+You can switch between these modes per-policy set based on your Azure Policy adoption strategy.
+
+To manage this setting:
+
+* Navigate to [policy/builtin/assignments](../../policy/builtin/assignments)
+* Open `*.parameters.json`.  There is 1 parameters file per policy set assignment
+* Modify `enforcementMode` parameter with either `Default` or `DoNotEnforce`
+* Re-run the `policy-ci` Azure DevOps pipeline to update Azure
+
+---
+
 ## Custom policies

 Custom policies and policy sets enable an organization to expand their governance in Azure.  Prior to creating any custom policies, we recommend searching for a suitable built-in policy through [Azure Policy Definitions][portalAzurePolicyDefinition].  You can create custom policy sets that contain built-in and custom policies.
@ -626,6 +670,13 @@ When there are deployment errors:
    @description('Management Group scope for the policy assignment.')
    param policyAssignmentManagementGroupId string

+    @allowed([
+      'Default'
+      'DoNotEnforce'
+    ])
+    @description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+    param enforcementMode string = 'Default'
+
    // Start - Any custom parameters required for your policy set assignment
    param ...
    // End - Any custom parameters required for your policy set assignment
@ -652,7 +703,7 @@ When there are deployment errors:
          // Add any parameters identified earlier into this section
        }
        // The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.
-        enforcementMode: 'Default'
+        enforcementMode: enforcementMode
      }
      identity: {
        type: 'SystemAssigned'
@ -686,6 +737,13 @@ When there are deployment errors:
      @description('Management Group scope for the policy assignment.')
      param policyAssignmentManagementGroupId string

+      @allowed([
+        'Default'
+        'DoNotEnforce'
+      ])
+      @description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+      param enforcementMode string = 'Default'
+
      @description('Log Analytics Workspace Resource Id')
      param logAnalyticsResourceId string

@ -714,7 +772,7 @@ When there are deployment errors:
              value: logAnalyticsWorkspaceId
            }
          }
-          enforcementMode: 'Default'
+          enforcementMode: enforcementMode
        }
        identity: {
          type: 'SystemAssigned'
@ -771,6 +829,9 @@ When there are deployment errors:
          "policyAssignmentManagementGroupId": {
              "value": "{{var-topLevelManagementGroupName}}"
          },
+          "enforcementMode": {
+              "value": "Default"
+          },
          "EXTRA_POLICY_ASSIGNMENT_PARAMETER_NAME_1": {
              "value": "EXTRA_POLICY_ASSIGNMENT_PARAMETER_VALUE_1"
          },
@ -794,6 +855,9 @@ When there are deployment errors:
            "policyAssignmentManagementGroupId": {
                "value": "{{var-topLevelManagementGroupName}}"
            },
+            "enforcementMode": {
+                "value": "Default"
+            },
            "logAnalyticsWorkspaceId": {
                "value": "{{var-logging-logAnalyticsWorkspaceId}}"
            },
@ -952,6 +1016,29 @@ When there are deployment errors:

 ---

+### Enable or disable custom policy set enforcement
+
+You may want to evaluate the compliance in your environment without any automatic remediation, either through `DeployIfNotExists` or `modify` policies.  To support this scenario, all policy set assignments support an `enforcementMode` setting.  This can be set to either: `Default` or `DoNotEnforce`:
+
+* `Default` = enable policy set enforcement
+* `DoNotEnforce` = disable policy set enforcement
+
+Please review guidance and expected behaviour of these settings prior to making any modification:
+
+* [Cloud Adoption Framework - Adopting policy driven guardrails](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/dine-guidance)
+* [Azure Policy Enforcement Mode](https://aka.ms/enforcementMode)
+
+You can switch between these modes per-policy set based on your Azure Policy adoption strategy.
+
+To manage this setting:
+
+* Navigate to [policy/custom/assignments](../../policy/custom/assignments)
+* Open `*.parameters.json`.  There is 1 parameters file per policy set assignment
+* Modify `enforcementMode` parameter with either `Default` or `DoNotEnforce`
+* Re-run the `policy-ci` Azure DevOps pipeline to update Azure
+
+---
+
 ### Auto generate custom Diagnostic Settings policies for PaaS services

 Before auto generating a custom Diagnostic Settings policy, we recommend searching for a suitable built-in policy through [Azure Policy Definitions][portalAzurePolicyDefinition].
--- a/policy/builtin/assignments/asb.bicep
+++ b/policy/builtin/assignments/asb.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
 var policyId = '1f3afdf9-d0c9-4c3d-847f-89da613e70a8' // Azure Security Benchmark
 var assignmentName = 'Azure Security Benchmark'

@ -35,7 +42,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
    ]
    parameters: {
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/asb.parameters.json
+++ b/policy/builtin/assignments/asb.parameters.json
@ -4,6 +4,9 @@
    "parameters": {
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
+        },
+        "enforcementMode": {
+            "value": "Default"
        }
    }
 }
--- a/policy/builtin/assignments/cis-msft-130.bicep
+++ b/policy/builtin/assignments/cis-msft-130.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Log Analytics Workspace Data Retention in days.')
 param requiredRetentionDays string

@ -59,7 +66,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: linuxPythonLatestVersion
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/cis-msft-130.parameters.json
+++ b/policy/builtin/assignments/cis-msft-130.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "requiredRetentionDays": {
            "value": "{{var-logging-logAnalyticsRetentionInDays}}"
        },
--- a/policy/builtin/assignments/fedramp-moderate.bicep
+++ b/policy/builtin/assignments/fedramp-moderate.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Log Analytics Workspace Data Retention in days.')
 param requiredRetentionDays string

@ -41,7 +48,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: requiredRetentionDays
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/fedramp-moderate.parameters.json
+++ b/policy/builtin/assignments/fedramp-moderate.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "requiredRetentionDays": {
            "value": "{{var-logging-logAnalyticsRetentionInDays}}"
        }
--- a/policy/builtin/assignments/hitrust-hipaa.bicep
+++ b/policy/builtin/assignments/hitrust-hipaa.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('A semicolon-separated list of the names of the applications that should be installed. e.g. \'Microsoft SQL Server 2014 (64-bit); Microsoft Visual Studio Code\' or \'Microsoft SQL Server 2014*\' (to match any application starting with \'Microsoft SQL Server 2014\')')
 param installedApplicationsOnWindowsVM string

@ -68,7 +75,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: certificateThumbprints
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/hitrust-hipaa.parameters.json
+++ b/policy/builtin/assignments/hitrust-hipaa.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "deployDiagnosticSettingsforNetworkSecurityGroupsStoragePrefix": {
            "value": "{{var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix}}"
        },
--- a/policy/builtin/assignments/location.bicep
+++ b/policy/builtin/assignments/location.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('An array of allowed Azure Regions.')
 param allowedLocations array

@ -36,7 +43,7 @@ resource rgLocationAssignment 'Microsoft.Authorization/policyAssignments@2020-03
        value: allowedLocations
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  location: deployment().location
 }
@ -53,7 +60,7 @@ resource resourceLocationAssignment 'Microsoft.Authorization/policyAssignments@2
        value: allowedLocations
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  location: deployment().location
 }
--- a/policy/builtin/assignments/location.parameters.json
+++ b/policy/builtin/assignments/location.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "allowedLocations": {
            "value": [
                "canadacentral",
--- a/policy/builtin/assignments/nist80053r4.bicep
+++ b/policy/builtin/assignments/nist80053r4.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Log Analytics Resource Id to integrate Microsoft Defender for Cloud.')
 param logAnalyticsWorkspaceId string

@ -53,7 +60,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: listOfMembersToIncludeInWindowsVMAdministratorsGroup
       }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/nist80053r4.parameters.json
+++ b/policy/builtin/assignments/nist80053r4.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "logAnalyticsWorkspaceId": {
            "value": "{{var-logging-logAnalyticsWorkspaceId}}"
        },
--- a/policy/builtin/assignments/nist80053r5.bicep
+++ b/policy/builtin/assignments/nist80053r5.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Log Analytics Workspace Data Retention in days.')
 param requiredRetentionDays string

@ -41,7 +48,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: requiredRetentionDays
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/nist80053r5.parameters.json
+++ b/policy/builtin/assignments/nist80053r5.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "requiredRetentionDays": {
            "value": "{{var-logging-logAnalyticsRetentionInDays}}"
        }
--- a/policy/builtin/assignments/pbmm.bicep
+++ b/policy/builtin/assignments/pbmm.bicep
@ -12,6 +12,13 @@ targetScope = 'managementGroup'
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Log Analytics Resource Id to integrate Microsoft Defender for Cloud.')
 param logAnalyticsWorkspaceId string

@ -53,7 +60,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: listOfMembersToIncludeInWindowsVMAdministratorsGroup
       }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/builtin/assignments/pbmm.parameters.json
+++ b/policy/builtin/assignments/pbmm.parameters.json
@ -5,6 +5,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "logAnalyticsWorkspaceId": {
            "value": "{{var-logging-logAnalyticsWorkspaceId}}"
        },
--- a/policy/custom/assignments/AKS.bicep
+++ b/policy/custom/assignments/AKS.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
 var policyId = 'custom-aks'
 var assignmentName = 'Custom - Azure Kubernetes Service'

@ -36,7 +43,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
@ -52,7 +59,7 @@ resource podSecurityRestrictedStandardsPolicySetAssignment 'Microsoft.Authorizat
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
@ -68,7 +75,7 @@ resource podSecurityBaselineStandardsPolicySetAssignment 'Microsoft.Authorizatio
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/AKS.parameters.json
+++ b/policy/custom/assignments/AKS.parameters.json
@ -7,6 +7,9 @@
        },
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
+        },
+        "enforcementMode": {
+            "value": "Default"
        }
    }
 }
--- a/policy/custom/assignments/DDoS.bicep
+++ b/policy/custom/assignments/DDoS.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Azure DDOS Standard Plan Resource Id.')
 param ddosStandardPlanId string

@ -43,7 +50,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: ddosStandardPlanId
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/DDoS.parameters.json
+++ b/policy/custom/assignments/DDoS.parameters.json
@ -8,6 +8,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "ddosStandardPlanId": {
            "value": "{{var-hubnetworking-ddosStandardPlanId}}"
        }
--- a/policy/custom/assignments/DNSPrivateEndpoints.bicep
+++ b/policy/custom/assignments/DNSPrivateEndpoints.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Private DNS Zone Subscription Id')
 param privateDNSZoneSubscriptionId string

@ -53,7 +60,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: privateDNSZoneResourceGroupName
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/DNSPrivateEndpoints.parameters.json
+++ b/policy/custom/assignments/DNSPrivateEndpoints.parameters.json
@ -8,6 +8,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "privateDNSZoneSubscriptionId": {
            "value": "{{var-hubnetwork-subscriptionId}}"
        },
--- a/policy/custom/assignments/DefenderForCloud.bicep
+++ b/policy/custom/assignments/DefenderForCloud.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
 var policyId = 'custom-enable-azure-defender'
 var assignmentName = 'Custom - Microsoft Defender for Cloud'

@ -38,7 +45,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
    ]
    parameters: {
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/DefenderForCloud.parameters.json
+++ b/policy/custom/assignments/DefenderForCloud.parameters.json
@ -7,6 +7,9 @@
        },
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
+        },
+        "enforcementMode": {
+            "value": "Default"
        }
    }
 }
--- a/policy/custom/assignments/LogAnalytics.bicep
+++ b/policy/custom/assignments/LogAnalytics.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
@description('Log Analytics Workspace Resource Id')
 param logAnalyticsResourceId string

@ -50,7 +57,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
        value: logAnalyticsWorkspaceId
      }
    }
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/LogAnalytics.parameters.json
+++ b/policy/custom/assignments/LogAnalytics.parameters.json
@ -8,6 +8,9 @@
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
        },
+        "enforcementMode": {
+            "value": "Default"
+        },
        "logAnalyticsWorkspaceId": {
            "value": "{{var-logging-logAnalyticsWorkspaceId}}"
        },
--- a/policy/custom/assignments/Network.bicep
+++ b/policy/custom/assignments/Network.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
 var policyId = 'custom-network'
 var assignmentName = 'Custom - Network'

@ -36,7 +43,7 @@ resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/Network.parameters.json
+++ b/policy/custom/assignments/Network.parameters.json
@ -7,6 +7,9 @@
        },
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
+        },
+        "enforcementMode": {
+            "value": "Default"
        }
    }
 }
--- a/policy/custom/assignments/Tags.bicep
+++ b/policy/custom/assignments/Tags.bicep
@ -15,6 +15,13 @@ param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
 param policyAssignmentManagementGroupId string

+@allowed([
+  'Default'
+  'DoNotEnforce'
+])
+@description('Policy set assignment enforcement mode.  Possible values are { Default, DoNotEnforce }.  Default value:  Default')
+param enforcementMode string = 'Default'
+
 var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)

 // Tags Inherited from Resource Groups
@ -36,7 +43,7 @@ resource rgInheritedPolicySetAssignment 'Microsoft.Authorization/policyAssignmen
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
@ -66,7 +73,7 @@ resource rgRequiredPolicySetAssignment 'Microsoft.Authorization/policyAssignment
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
@ -86,7 +93,7 @@ resource resourcesAuditPolicySetAssignment 'Microsoft.Authorization/policyAssign
    scope: scope
    notScopes: []
    parameters: {}
-    enforcementMode: 'Default'
+    enforcementMode: enforcementMode
  }
  identity: {
    type: 'SystemAssigned'
--- a/policy/custom/assignments/Tags.parameters.json
+++ b/policy/custom/assignments/Tags.parameters.json
@ -7,6 +7,9 @@
        },
        "policyAssignmentManagementGroupId": {
            "value": "{{var-topLevelManagementGroupName}}"
+        },
+        "enforcementMode": {
+            "value": "Default"
        }
    }
 }