Update Library Templates (automated)

2024-11-11 08:01:27 +00:00 · 2024-11-11 08:01:27 +00:00 · 8b2a9badf7
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json
@ -8,7 +8,6 @@
      "Deny-Privileged-AKS",
      "Deny-Storage-http",
      "Deny-Subnet-Without-Nsg",
-      "Deploy-AKS-Policy",
      "Deploy-AzSqlDb-Auditing",
      "Deploy-MDFC-DefSQL-AMA",
      "Deploy-SQL-TDE",
@ -25,6 +24,7 @@
      "Enforce-AKS-HTTPS",
      "Enforce-ASR",
      "Enforce-GR-KeyVault",
+      "Enforce-Subnet-Private",
      "Enforce-TLS-SSL-H224"
    ],
    "policy_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json
@ -11,7 +11,8 @@
      "Deploy-VMSS-Monitoring",
      "Enable-AUM-CheckUpdates",
      "Enforce-ASR",
-      "Enforce-GR-KeyVault"
+      "Enforce-GR-KeyVault",
+      "Enforce-Subnet-Private"
    ],
    "policy_definitions": [],
    "policy_set_definitions": [],
--- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json
+++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json
@ -9,7 +9,7 @@
      "Deny-UnmanagedDisk",
      "Deploy-ASC-Monitoring",
      "Deploy-AzActivity-Log",
-      "Deploy-Diag-Logs",
+      "Deploy-Diag-LogsCat",
      "Deploy-MDEndpoints",
      "Deploy-MDEndpointsAMA",
      "Deploy-MDFC-Config-H224",
@ -200,6 +200,7 @@
      "Enforce-Guardrails-APIM",
      "Enforce-Guardrails-AppServices",
      "Enforce-Guardrails-Automation",
+      "Enforce-Guardrails-BotService",
      "Enforce-Guardrails-CognitiveServices",
      "Enforce-Guardrails-Compute",
      "Enforce-Guardrails-ContainerApps",
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json
@ -0,0 +1,28 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Deploy-Diag-LogsCat",
+  "location": "${default_location}",
+  "dependsOn": [],
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "properties": {
+    "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.",
+    "displayName": "Enable category group resource logging for supported resources to Log Analytics",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics."
+      }
+    ],
+    "parameters": {
+      "logAnalytics": {
+        "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  }
+}
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json
@ -210,13 +210,13 @@
      "azureStorageTableSecondaryPrivateDnsZoneId": {
        "value": "${private_dns_zone_prefix}privatelink.table.core.windows.net"
      },
-      "azureSiteRecoveryBackupPrivateDnsZoneID": {
+      "azureSiteRecoveryBackupPrivateDnsZoneId": {
        "value": "${private_dns_zone_prefix}privatelink.${connectivity_location_short}.backup.windowsazure.com"
      },
-      "azureSiteRecoveryBlobPrivateDnsZoneID": {
+      "azureSiteRecoveryBlobPrivateDnsZoneId": {
        "value": "${private_dns_zone_prefix}privatelink.blob.core.windows.net"
      },
-      "azureSiteRecoveryQueuePrivateDnsZoneID": {
+      "azureSiteRecoveryQueuePrivateDnsZoneId": {
        "value": "${private_dns_zone_prefix}privatelink.queue.core.windows.net"
      }
    },
--- a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json
+++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json
@ -0,0 +1,28 @@
+{
+  "type": "Microsoft.Authorization/policyAssignments",
+  "apiVersion": "2022-06-01",
+  "name": "Enforce-Subnet-Private",
+  "dependsOn": [],
+  "properties": {
+    "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement",
+    "displayName": "Subnets should be private",
+    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837",
+    "enforcementMode": "Default",
+    "nonComplianceMessages": [
+      {
+        "message": "Subnets {enforcementMode} be private."
+      }
+    ],
+    "parameters": {
+      "effect": {
+        "value": "Audit"
+      }
+    },
+    "scope": "${current_scope_resource_id}",
+    "notScopes": []
+  },
+  "location": "${default_location}",
+  "identity": {
+    "type": "None"
+  }
+}
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json
@ -9,7 +9,7 @@
    "displayName": "AppService append sites with minimum TLS version to enforce.",
    "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.",
    "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
      "category": "App Service",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -35,6 +35,7 @@
        "type": "String",
        "defaultValue": "1.2",
        "allowedValues": [
+          "1.3",
          "1.2",
          "1.0",
          "1.1"
@ -54,7 +55,7 @@
          },
          {
            "field": "Microsoft.Web/sites/config/minTlsVersion",
-            "notEquals": "[parameters('minTlsVersion')]"
+            "less": "[parameters('minTlsVersion')]"
          }
        ]
      },
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json
@ -9,7 +9,7 @@
    "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.",
    "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Cache",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -56,7 +56,7 @@
            "anyOf": [
              {
                "field": "Microsoft.Cache/Redis/minimumTlsVersion",
-                "notequals": "[parameters('minimumTlsVersion')]"
+                "less": "[parameters('minimumTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json
@ -9,7 +9,7 @@
    "displayName": "Event Hub namespaces should use a valid TLS version",
    "description": "Event Hub namespaces should use a valid TLS version.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Event Hub",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -52,7 +52,7 @@
            "anyOf": [
              {
                "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
-                "notEquals": "[parameters('minTlsVersion')]"
+                "less": "[parameters('minTlsVersion')]"
              },
              {
                "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json
@ -9,7 +9,7 @@
    "displayName": "MySQL database servers enforce SSL connections.",
    "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -66,7 +66,7 @@
              },
              {
                "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json
@ -9,7 +9,7 @@
    "displayName": "Azure Cache for Redis only secure connections should be enabled",
    "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Cache",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -41,7 +41,7 @@
          "1.0"
        ],
        "metadata": {
-          "displayName": "Select minumum TLS version for Azure Cache for Redis.",
+          "displayName": "Select minimum TLS version for Azure Cache for Redis.",
          "description": "Select minimum TLS version for Azure Cache for Redis."
        }
      }
@ -61,7 +61,7 @@
              },
              {
                "field": "Microsoft.Cache/Redis/minimumTlsVersion",
-                "notequals": "[parameters('minimumTlsVersion')]"
+                "less": "[parameters('minimumTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json
@ -9,7 +9,7 @@
    "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version",
    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -61,7 +61,7 @@
              },
              {
                "field": "Microsoft.Sql/servers/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json
@ -7,9 +7,9 @@
    "policyType": "Custom",
    "mode": "Indexed",
    "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version",
-    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
+    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -61,7 +61,7 @@
              },
              {
                "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json
@ -9,7 +9,7 @@
    "displayName": "Deny vNet peering cross subscription.",
    "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.",
    "metadata": {
-      "version": "1.0.1",
+      "version": "1.1.0",
      "category": "Network",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -31,6 +31,14 @@
          "Disabled"
        ],
        "defaultValue": "Deny"
+      },
+      "allowedVnets": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Allowed vNets to peer with",
+          "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
+        },
+        "defaultValue": []
      }
    },
    "policyRule": {
@ -41,8 +49,16 @@
            "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
          },
          {
-            "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
-            "notcontains": "[subscription().id]"
+            "allOf": [
+              {
+                "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
+                "notIn": "[parameters('allowedVnets')]"
+              },
+              {
+                "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
+                "notLike": "[concat(subscription().id, '/*')]"
+              }
+            ]
          }
        ]
      },
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json
@ -9,7 +9,7 @@
    "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
    "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -61,7 +61,7 @@
              },
              {
                "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
-                "notequals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json
@ -9,7 +9,7 @@
    "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ",
    "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -61,7 +61,7 @@
              },
              {
                "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion",
-                "notEquals": "[parameters('minimalTlsVersion')]"
+                "less": "[parameters('minimalTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json
@ -9,7 +9,7 @@
    "displayName": "Deploy-Private-DNS-Generic",
    "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "2.0.0",
      "category": "Networking",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -34,8 +34,8 @@
      "privateDnsZoneId": {
        "type": "String",
        "metadata": {
-          "displayName": "Private DNS Zone ID for Paas services",
-          "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.",
+          "displayName": "Private DNS Zone ID for PaaS services",
+          "description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.",
          "strongType": "Microsoft.Network/privateDnsZones",
          "assignPermissions": true
        }
@ -61,11 +61,24 @@
          "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists"
        },
        "defaultValue": "PT10M"
+      },
+      "location": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Location (Specify the Private Endpoint location)",
+          "description": "Specify the Private Endpoint location",
+          "strongType": "location"
+        },
+        "defaultValue": "northeurope"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
+          {
+            "field": "location",
+            "equals": "[parameters('location')]"
+          },
          {
            "field": "type",
            "equals": "Microsoft.Network/privateEndpoints"
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json
@ -9,7 +9,7 @@
    "displayName": "SQL servers deploys a specific min TLS version requirement.",
    "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -54,7 +54,7 @@
          },
          {
            "field": "Microsoft.Sql/servers/minimalTlsVersion",
-            "notequals": "[parameters('minimalTlsVersion')]"
+            "less": "[parameters('minimalTlsVersion')]"
          }
        ]
      },
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json
@ -9,7 +9,7 @@
    "displayName": "SQL managed instances deploy a specific min TLS version requirement.",
    "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
    "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
      "category": "SQL",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -54,7 +54,7 @@
          },
          {
            "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
-            "notequals": "[parameters('minimalTlsVersion')]"
+            "less": "[parameters('minimalTlsVersion')]"
          }
        ]
      },
--- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json
+++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json
@ -9,7 +9,7 @@
    "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ",
    "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.",
    "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
      "category": "Storage",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -60,7 +60,7 @@
              },
              {
                "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
-                "notEquals": "[parameters('minimumTlsVersion')]"
+                "less": "[parameters('minimumTlsVersion')]"
              }
            ]
          }
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Deploy Microsoft Defender for Cloud configuration",
    "description": "Deploy Microsoft Defender for Cloud configuration",
    "metadata": {
-      "version": "1.0.0",
+      "version": "2.1.0",
      "category": "Security Center",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "replacesPolicy": "Deploy-MDFC-Config",
@ -59,6 +59,18 @@
          "description": "The location where the resource group and the export to Log Analytics workspace configuration are created."
        }
      },
+      "createResourceGroup": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Create resource group",
+          "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
+        },
+        "defaultValue": true,
+        "allowedValues": [
+          true,
+          false
+        ]
+      },
      "enableAscForCosmosDbs": {
        "type": "String",
        "allowedValues": [
@ -355,7 +367,7 @@
      },
      {
        "policyDefinitionReferenceId": "defenderForCspm",
-        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21",
        "parameters": {
          "effect": {
            "value": "[parameters('enableAscForCspm')]"
@ -386,6 +398,9 @@
          "resourceGroupLocation": {
            "value": "[parameters('ascExportResourceGroupLocation')]"
          },
+          "createResourceGroup": {
+            "value": "[parameters('createResourceGroup')]"
+          },
          "workspaceResourceId": {
            "value": "[parameters('logAnalytics')]"
          }
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_private_dns_zones.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Configure Azure PaaS services to use private DNS zones",
    "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones",
    "metadata": {
-      "version": "2.2.0",
+      "version": "2.3.0",
      "category": "Network",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -16,6 +16,184 @@
      ]
    },
    "parameters": {
+      "dnsZoneSubscriptionId": {
+        "type": "string",
+        "defaultValue": "",
+        "metadata": {
+          "displayName": "Subscription Id",
+          "description": "The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified."
+        }
+      },
+      "dnsZoneResourceGroupName": {
+        "type": "string",
+        "defaultValue": "",
+        "metadata": {
+          "displayName": "Resource Group Name",
+          "description": "The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified."
+        }
+      },
+      "dnsZoneResourceType": {
+        "type": "string",
+        "defaultValue": "Microsoft.Network/privateDnsZones",
+        "metadata": {
+          "displayName": "Resource Type",
+          "description": "The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified."
+        }
+      },
+      "dnsZoneRegion": {
+        "type": "string",
+        "defaultValue": "changeme",
+        "metadata": {
+          "displayName": "Region",
+          "description": "The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified."
+        }
+      },
+      "dnzZoneRegionShortNames": {
+        "type": "object",
+        "defaultValue": {
+          "changeme": "changeme",
+          "australiacentral": "acl",
+          "australiacentral2": "acl2",
+          "australiaeast": "ae",
+          "australiasoutheast": "ase",
+          "brazilsoutheast": "bse",
+          "brazilsouth": "brs",
+          "canadacentral": "cnc",
+          "canadaeast": "cne",
+          "centralindia": "inc",
+          "centralus": "cus",
+          "centraluseuap": "ccy",
+          "chilecentral": "clc",
+          "eastasia": "ea",
+          "eastus": "eus",
+          "eastus2": "eus2",
+          "eastus2euap": "ecy",
+          "francecentral": "frc",
+          "francesouth": "frs",
+          "germanynorth": "gn",
+          "germanywestcentral": "gwc",
+          "israelcentral": "ilc",
+          "italynorth": "itn",
+          "japaneast": "jpe",
+          "japanwest": "jpw",
+          "koreacentral": "krc",
+          "koreasouth": "krs",
+          "malaysiasouth": "mys",
+          "malaysiawest": "myw",
+          "mexicocentral": "mxc",
+          "newzealandnorth": "nzn",
+          "northcentralus": "ncus",
+          "northeurope": "ne",
+          "norwayeast": "nwe",
+          "norwaywest": "nww",
+          "polandcentral": "plc",
+          "qatarcentral": "qac",
+          "southafricanorth": "san",
+          "southafricawest": "saw",
+          "southcentralus": "scus",
+          "southeastasia": "sea",
+          "southindia": "ins",
+          "spaincentral": "spc",
+          "swedencentral": "sdc",
+          "swedensouth": "sds",
+          "switzerlandnorth": "szn",
+          "switzerlandwest": "szw",
+          "taiwannorth": "twn",
+          "uaecentral": "uac",
+          "uaenorth": "uan",
+          "uksouth": "uks",
+          "ukwest": "ukw",
+          "westcentralus": "wcus",
+          "westeurope": "we",
+          "westindia": "inw",
+          "westus": "wus",
+          "westus2": "wus2",
+          "westus3": "wus3"
+        },
+        "metadata": {
+          "displayName": "Region Short Name Mapping",
+          "description": "Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used."
+        }
+      },
+      "dnsZoneNames": {
+        "type": "object",
+        "defaultValue": {
+          "azureAcrPrivateDnsZoneId": "privatelink.azurecr.io",
+          "azureAcrDataPrivateDnsZoneId": "{regionName}.data.privatelink.azurecr.io",
+          "azureAppPrivateDnsZoneId": "privatelink.azconfig.io",
+          "azureAppServicesPrivateDnsZoneId": "privatelink.azurewebsites.net",
+          "azureArcGuestconfigurationPrivateDnsZoneId": "privatelink.guestconfiguration.azure.com",
+          "azureArcHybridResourceProviderPrivateDnsZoneId": "privatelink.his.arc.azure.com",
+          "azureArcKubernetesConfigurationPrivateDnsZoneId": "privatelink.dp.kubernetesconfiguration.azure.com",
+          "azureAsrPrivateDnsZoneId": "privatelink.siterecovery.windowsazure.com",
+          "azureAutomationDSCHybridPrivateDnsZoneId": "privatelink.azure-automation.net",
+          "azureAutomationWebhookPrivateDnsZoneId": "privatelink.azure-automation.net",
+          "azureBatchPrivateDnsZoneId": "privatelink.batch.azure.com",
+          "azureBotServicePrivateDnsZoneId": "privatelink.directline.botframework.com",
+          "azureCognitiveSearchPrivateDnsZoneId": "privatelink.search.windows.net",
+          "azureCognitiveServicesPrivateDnsZoneId": "privatelink.cognitiveservices.azure.com",
+          "azureCosmosCassandraPrivateDnsZoneId": "privatelink.cassandra.cosmos.azure.com",
+          "azureCosmosGremlinPrivateDnsZoneId": "privatelink.gremlin.cosmos.azure.com",
+          "azureCosmosMongoPrivateDnsZoneId": "privatelink.mongo.cosmos.azure.com",
+          "azureCosmosSQLPrivateDnsZoneId": "privatelink.documents.azure.com",
+          "azureCosmosTablePrivateDnsZoneId": "privatelink.table.cosmos.azure.com",
+          "azureDataExplorerPrivateDnsZoneId": "privatelink.{regionName}.kusto.windows.net",
+          "azureDataFactoryPortalPrivateDnsZoneId": "privatelink.adf.azure.com",
+          "azureDataFactoryPrivateDnsZoneId": "privatelink.datafactory.azure.net",
+          "azureDatabricksPrivateDnsZoneId": "privatelink.azuredatabricks.net",
+          "azureDiskAccessPrivateDnsZoneId": "privatelink.blob.core.windows.net",
+          "azureEventGridDomainsPrivateDnsZoneId": "privatelink.eventgrid.azure.net",
+          "azureEventGridTopicsPrivateDnsZoneId": "privatelink.eventgrid.azure.net",
+          "azureEventHubNamespacePrivateDnsZoneId": "privatelink.servicebus.windows.net",
+          "azureFilePrivateDnsZoneId": "privatelink.afs.azure.net",
+          "azureHDInsightPrivateDnsZoneId": "privatelink.azurehdinsight.net",
+          "azureIotCentralPrivateDnsZoneId": "privatelink.azureiotcentral.com",
+          "azureIotDeviceupdatePrivateDnsZoneId": "privatelink.azure-devices.net",
+          "azureIotHubsPrivateDnsZoneId": "privatelink.azure-devices.net",
+          "azureIotPrivateDnsZoneId": "privatelink.azure-devices-provisioning.net",
+          "azureKeyVaultPrivateDnsZoneId": "privatelink.vaultcore.azure.net",
+          "azureKubernetesManagementPrivateDnsZoneId": "privatelink.{regionName}.azmk8s.io",
+          "azureMachineLearningWorkspacePrivateDnsZoneId": "privatelink.api.azureml.ms",
+          "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": "privatelink.notebooks.azure.net",
+          "azureManagedGrafanaWorkspacePrivateDnsZoneId": "privatelink.grafana.azure.com",
+          "azureMediaServicesKeyPrivateDnsZoneId": "privatelink.media.azure.net",
+          "azureMediaServicesLivePrivateDnsZoneId": "privatelink.media.azure.net",
+          "azureMediaServicesStreamPrivateDnsZoneId": "privatelink.media.azure.net",
+          "azureMigratePrivateDnsZoneId": "privatelink.prod.migration.windowsazure.com",
+          "azureMonitorPrivateDnsZoneId1": "privatelink.monitor.azure.com",
+          "azureMonitorPrivateDnsZoneId2": "privatelink.oms.opinsights.azure.com",
+          "azureMonitorPrivateDnsZoneId3": "privatelink.ods.opinsights.azure.com",
+          "azureMonitorPrivateDnsZoneId4": "privatelink.agentsvc.azure-automation.net",
+          "azureMonitorPrivateDnsZoneId5": "privatelink.blob.core.windows.net",
+          "azureRedisCachePrivateDnsZoneId": "privatelink.redis.cache.windows.net",
+          "azureServiceBusNamespacePrivateDnsZoneId": "privatelink.servicebus.windows.net",
+          "azureSignalRPrivateDnsZoneId": "privatelink.service.signalr.net",
+          "azureSiteRecoveryBackupPrivateDnsZoneId": "privatelink.{regionCode}.backup.windowsazure.com",
+          "azureSiteRecoveryBlobPrivateDnsZoneId": "privatelink.blob.core.windows.net",
+          "azureSiteRecoveryQueuePrivateDnsZoneId": "privatelink.queue.core.windows.net",
+          "azureStorageBlobPrivateDnsZoneId": "privatelink.blob.core.windows.net",
+          "azureStorageBlobSecPrivateDnsZoneId": "privatelink.blob.core.windows.net",
+          "azureStorageDFSPrivateDnsZoneId": "privatelink.dfs.core.windows.net",
+          "azureStorageDFSSecPrivateDnsZoneId": "privatelink.dfs.core.windows.net",
+          "azureStorageFilePrivateDnsZoneId": "privatelink.file.core.windows.net",
+          "azureStorageQueuePrivateDnsZoneId": "privatelink.queue.core.windows.net",
+          "azureStorageQueueSecPrivateDnsZoneId": "privatelink.queue.core.windows.net",
+          "azureStorageStaticWebPrivateDnsZoneId": "privatelink.web.core.windows.net",
+          "azureStorageStaticWebSecPrivateDnsZoneId": "privatelink.web.core.windows.net",
+          "azureStorageTablePrivateDnsZoneId": "privatelink.table.core.windows.net",
+          "azureStorageTableSecondaryPrivateDnsZoneId": "privatelink.table.core.windows.net",
+          "azureSynapseDevPrivateDnsZoneId": "privatelink.dev.azuresynapse.net",
+          "azureSynapseSQLPrivateDnsZoneId": "privatelink.sql.azuresynapse.net",
+          "azureSynapseSQLODPrivateDnsZoneId": "privatelink.sql.azuresynapse.net",
+          "azureVirtualDesktopHostpoolPrivateDnsZoneId": "privatelink.wvd.microsoft.com",
+          "azureVirtualDesktopWorkspacePrivateDnsZoneId": "privatelink.wvd.microsoft.com",
+          "azureWebPrivateDnsZoneId": "privatelink.webpubsub.azure.com"
+        },
+        "metadata": {
+          "displayName": "DNS Zone Names",
+          "description": "The list of private DNS zone names to be used for the Azure PaaS services."
+        }
+      },
      "azureFilePrivateDnsZoneId": {
        "type": "string",
        "defaultValue": "",
@ -592,29 +770,29 @@
          "description": "Private DNS Zone Identifier"
        }
      },
-      "azureSiteRecoveryBackupPrivateDnsZoneID": {
+      "azureSiteRecoveryBackupPrivateDnsZoneId": {
        "type": "string",
        "defaultValue": "",
        "metadata": {
-          "displayName": "azureSiteRecoveryBackupPrivateDnsZoneID",
+          "displayName": "azureSiteRecoveryBackupPrivateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "Private DNS Zone Identifier"
        }
      },
-      "azureSiteRecoveryBlobPrivateDnsZoneID": {
+      "azureSiteRecoveryBlobPrivateDnsZoneId": {
        "type": "string",
        "defaultValue": "",
        "metadata": {
-          "displayName": "azureSiteRecoveryBlobPrivateDnsZoneID",
+          "displayName": "azureSiteRecoveryBlobPrivateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "Private DNS Zone Identifier"
        }
      },
-      "azureSiteRecoveryQueuePrivateDnsZoneID": {
+      "azureSiteRecoveryQueuePrivateDnsZoneId": {
        "type": "string",
        "defaultValue": "",
        "metadata": {
-          "displayName": "azureSiteRecoveryQueuePrivateDnsZoneID",
+          "displayName": "azureSiteRecoveryQueuePrivateDnsZoneId",
          "strongType": "Microsoft.Network/privateDnsZones",
          "description": "Private DNS Zone Identifier"
        }
@ -650,7 +828,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureFilePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -663,7 +841,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureAutomationWebhookPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "Webhook"
@ -679,7 +857,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "DSCAndHybridWorker"
@ -695,7 +873,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCosmosSQLPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "SQL"
@ -711,7 +889,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCosmosMongoPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "MongoDB"
@ -727,7 +905,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCosmosCassandraPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "Cassandra"
@ -743,7 +921,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCosmosGremlinPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "Gremlin"
@ -759,7 +937,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCosmosTablePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "Table"
@ -775,7 +953,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureDataFactoryPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "listOfGroupIds": {
            "value": [
@ -793,7 +971,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureDataFactoryPortalPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "listOfGroupIds": {
            "value": [
@ -811,7 +989,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureDatabricksPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "groupId": {
            "value": "databricks_ui_api"
@ -827,7 +1005,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureDatabricksPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "groupId": {
            "value": "browser_authentication"
@ -843,7 +1021,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureHDInsightPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "groupId": {
            "value": "cluster"
@ -859,7 +1037,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureMigratePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -872,7 +1050,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageBlobPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -885,7 +1063,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageBlobSecPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -898,7 +1076,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageQueuePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -911,7 +1089,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageQueueSecPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -924,7 +1102,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageFilePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -937,7 +1115,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageStaticWebPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -950,7 +1128,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -963,7 +1141,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageDFSPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -976,7 +1154,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageDFSSecPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -989,7 +1167,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureSynapseSQLPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "targetSubResource": {
            "value": "Sql"
@ -1005,7 +1183,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureSynapseSQLODPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "targetSubResource": {
            "value": "SqlOnDemand"
@ -1021,7 +1199,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureSynapseDevPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "targetSubResource": {
            "value": "Dev"
@ -1037,7 +1215,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureMediaServicesKeyPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "groupId": {
            "value": "keydelivery"
@ -1053,7 +1231,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureMediaServicesLivePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "groupId": {
            "value": "liveevent"
@ -1069,7 +1247,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureMediaServicesStreamPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "groupId": {
            "value": "streamingendpoint"
@ -1085,19 +1263,19 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365",
        "parameters": {
          "privateDnsZoneId1": {
-            "value": "[parameters('azureMonitorPrivateDnsZoneId1')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZoneId2": {
-            "value": "[parameters('azureMonitorPrivateDnsZoneId2')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZoneId3": {
-            "value": "[parameters('azureMonitorPrivateDnsZoneId3')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZoneId4": {
-            "value": "[parameters('azureMonitorPrivateDnsZoneId4')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZoneId5": {
-            "value": "[parameters('azureMonitorPrivateDnsZoneId5')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1110,7 +1288,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureWebPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1123,7 +1301,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureBatchPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1136,7 +1314,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureAppPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1149,7 +1327,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureAsrPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1162,7 +1340,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureIotPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1175,7 +1353,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureKeyVaultPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1188,7 +1366,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureSignalRPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1201,7 +1379,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureAppServicesPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1214,7 +1392,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureEventGridTopicsPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect1')]"
@ -1227,7 +1405,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureDiskAccessPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1240,7 +1418,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCognitiveServicesPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1253,7 +1431,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureIotHubsPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect1')]"
@ -1266,7 +1444,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureEventGridDomainsPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect1')]"
@ -1279,7 +1457,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureRedisCachePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1292,7 +1470,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureAcrPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1305,7 +1483,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureEventHubNamespacePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1318,10 +1496,10 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "secondPrivateDnsZoneId": {
-            "value": "[parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1334,7 +1512,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureServiceBusNamespacePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1347,7 +1525,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureCognitiveSearchPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1360,7 +1538,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureBotServicePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1373,7 +1551,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1386,7 +1564,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "connection"
@ -1402,7 +1580,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateEndpointGroupId": {
            "value": "feed"
@ -1418,7 +1596,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureIotDeviceupdatePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1431,13 +1609,13 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9",
        "parameters": {
          "privateDnsZoneIDForGuestConfiguration": {
-            "value": "[parameters('azureArcGuestconfigurationPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZoneIDForHybridResourceProvider": {
-            "value": "[parameters('azureArcHybridResourceProviderPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZoneIDForKubernetesConfiguration": {
-            "value": "[parameters('azureArcKubernetesConfigurationPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1450,7 +1628,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureIotCentralPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1463,7 +1641,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageTablePrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1476,7 +1654,7 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f",
        "parameters": {
          "privateDnsZoneId": {
-            "value": "[parameters('azureStorageTableSecondaryPrivateDnsZoneId')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
@ -1489,13 +1667,13 @@
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820",
        "parameters": {
          "privateDnsZone-Backup": {
-            "value": "[parameters('azureSiteRecoveryBackupPrivateDnsZoneID')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZone-Blob": {
-            "value": "[parameters('azureSiteRecoveryBlobPrivateDnsZoneID')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "privateDnsZone-Queue": {
-            "value": "[parameters('azureSiteRecoveryQueuePrivateDnsZoneID')]"
+            "value": "[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]"
          },
          "effect": {
            "value": "[parameters('effect')]"
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
    "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
    "metadata": {
-      "version": "3.0.0",
+      "version": "3.1.0",
      "category": "Encryption",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -329,6 +329,18 @@
          "Deny",
          "Disabled"
        ]
+      },
+      "botServiceCmk": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "audit",
+          "Deny",
+          "deny",
+          "Disabled",
+          "disabled"
+        ]
      }
    },
    "policyDefinitions": [
@ -621,6 +633,16 @@
          }
        },
        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-BotService-Cmk",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('botServiceCmk')]"
+          }
+        },
+        "groupNames": []
      }
    ],
    "policyDefinitionGroups": null
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json
@ -0,0 +1,107 @@
+{
+  "name": "Enforce-Guardrails-BotService",
+  "type": "Microsoft.Authorization/policySetDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "displayName": "Enforce recommended guardrails for Bot Service",
+    "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Bot Service",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "botServiceValidUri": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "audit",
+          "Deny",
+          "deny",
+          "Disabled",
+          "disabled"
+        ]
+      },
+      "botServiceIsolatedMode": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "audit",
+          "Deny",
+          "deny",
+          "Disabled",
+          "disabled"
+        ]
+      },
+      "botServiceLocalAuth": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "botServicePrivateLink": {
+        "type": "string",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ]
+      }
+    },
+    "policyDefinitions": [
+      {
+        "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('botServiceValidUri')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('botServiceIsolatedMode')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-BotService-Local-Auth",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('botServiceLocalAuth')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Audit-BotService-Private-Link",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('botServicePrivateLink')]"
+          }
+        },
+        "groupNames": []
+      }
+    ],
+    "policyDefinitionGroups": null
+  }
+}
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Cognitive Services",
    "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Cognitive Services",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -44,6 +44,14 @@
          "Disabled"
        ]
      },
+      "cognitiveServicesLocalAuth": {
+        "type": "string",
+        "defaultValue": "Modify",
+        "allowedValues": [
+          "Modify",
+          "Disabled"
+        ]
+      },
      "modifyCognitiveSearchPublicEndpoint": {
        "type": "string",
        "defaultValue": "Modify",
@ -59,6 +67,32 @@
          "Modify",
          "Disabled"
        ]
+      },
+      "cognitiveServicesManagedIdentity": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "cognitiveServicesCustomerStorage": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "cognitiveServicesResourceLogs": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ]
      }
    },
    "policyDefinitions": [
@ -111,6 +145,46 @@
          }
        },
        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('cognitiveServicesManagedIdentity')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('cognitiveServicesCustomerStorage')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('cognitiveServicesLocalAuth')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('cognitiveServicesResourceLogs')]"
+          }
+        },
+        "groupNames": []
      }
    ],
    "policyDefinitionGroups": null
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Machine Learning",
    "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Machine Learning",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -59,6 +59,80 @@
          "Modify",
          "Disabled"
        ]
+      },
+      "mlIdleShutdown": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "mlVirtualNetwork": {
+        "type": "string",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ]
+      },
+      "mlLegacyMode": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "mlPrivateLink": {
+        "type": "string",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ]
+      },
+      "mlResourceLogs": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ]
+      },
+      "mlAllowedRegistryDeploy": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "mlAllowedModule": {
+        "type": "string",
+        "defaultValue": "enforceSetting",
+        "allowedValues": [
+          "enforceSetting",
+          "disabled"
+        ]
+      },
+      "mlAllowedPython": {
+        "type": "string",
+        "defaultValue": "enforceSetting",
+        "allowedValues": [
+          "enforceSetting",
+          "disabled"
+        ]
+      },
+      "mlAllowedRegistries": {
+        "type": "string",
+        "defaultValue": "enforceSetting",
+        "allowedValues": [
+          "enforceSetting",
+          "disabled"
+        ]
      }
    },
    "policyDefinitions": [
@ -111,6 +185,96 @@
          }
        },
        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlIdleShutdown')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Audit-ML-Virtual-Network",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlVirtualNetwork')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlLegacyMode')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Audit-ML-Private-Link",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlPrivateLink')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Aine-ML-Resource-Logs",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlResourceLogs')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlAllowedRegistryDeploy')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-ML-Allowed-Module",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlAllowedModule')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-ML-Allowed-Python",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlAllowedPython')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('mlAllowedRegistries')]"
+          }
+        },
+        "groupNames": []
      }
    ],
    "policyDefinitionGroups": null
--- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json
+++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json
@ -8,7 +8,7 @@
    "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)",
    "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.",
    "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
      "category": "Cognitive Services",
      "source": "https://github.com/Azure/Enterprise-Scale/",
      "alzCloudEnvironments": [
@ -70,6 +70,47 @@
          "Deny",
          "Disabled"
        ]
+      },
+      "azureAiNetworkAccess": {
+        "type": "string",
+        "defaultValue": "Deny",
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ]
+      },
+      "azureAiPrivateLink": {
+        "type": "string",
+        "defaultValue": "Audit",
+        "allowedValues": [
+          "Audit",
+          "Disabled"
+        ]
+      },
+      "azureAiDisableLocalKey": {
+        "type": "string",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ]
+      },
+      "azureAiDisableLocalKey2": {
+        "type": "string",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ]
+      },
+      "azureAiDiagSettings": {
+        "type": "string",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ]
      }
    },
    "policyDefinitions": [
@ -132,6 +173,56 @@
          }
        },
        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('azureAiNetworkAccess')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('azureAiPrivateLink')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('azureAiDisableLocalKey')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('azureAiDisableLocalKey2')]"
+          }
+        },
+        "groupNames": []
+      },
+      {
+        "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('azureAiDiagSettings')]"
+          }
+        },
+        "groupNames": []
      }
    ],
    "policyDefinitionGroups": null