Azure · h2floh · Dec 21, 2023 · Dec 21, 2023
diff --git a/docs/07-Deployment-Parameters.md b/docs/07-Deployment-Parameters.md
@@ -54,10 +54,11 @@ This section contains descriptions and accepted values for all parameters within
  | 35 | parBastionOutboundSshRdpPorts | Array of outbound destination ports and ranges for Azure Bastion. | An array of values (ports)<br />e.g.: ["22", "3389"] | all, platform |
  | 36 | parInvokePolicyScanSync | Toggles executing the policy scan in synchronous mode. True to run policy scan in synchronous mode, False for asynchronous. When set to false, policy remediation needs to be manually triggered once the scan is complete. Note that when policy scan is run asynchronously, there isn't a way to track its progress. | true; false | all, compliance |
  | 37 | parInvokePolicyRemediationSync | Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous. | true; false | all, compliance |
- | 38 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Baseline policy initiatives. | Choose one: "Audit", "Deny", "Disabled" | all, compliance |
- | 39 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform |
- | 40 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.<br />See the SLZ parameter file for a sample configuration. | all, compliance |
- | 41 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ parameter file for a sample configuration. | all, bootstrap, platform, and dashboard |
+ | 38 | parPolicyAssignmentEnforcementMode | The enforcement mode used in all policy and initiative assignments. | Choose one: "Default", "DoNotEnforce" | all, compliance |
+ | 39 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Baseline policy initiatives. | Choose one: "Audit", "Deny", "Disabled" | all, compliance |
+ | 40 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform |
+ | 41 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.<br />See the SLZ parameter file for a sample configuration. | all, compliance |
+ | 42 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ parameter file for a sample configuration. | all, bootstrap, platform, and dashboard |
 
 ## Next step
 

diff --git a/modules/compliance/customCompliance.bicep b/modules/compliance/customCompliance.bicep
@@ -20,6 +20,9 @@ param parIdentityRoleAssignmentsSubs array
 @description('The role definition ids for permissions.')
 param parRoleDefinitionIds array
 
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
 // Managment Groups Varaibles - Used For Policy Assignments
 var varManagementGroupIDs = {
   intRoot: '${parDeploymentPrefix}${parDeploymentSuffix}'
@@ -163,7 +166,7 @@ module modPolicyAssignmentGlobalCustom '../../dependencies/infra-as-code/bicep/m
     parPolicyAssignmentDescription: '${varGlobalCustomPolicies.libAssignment.properties.description} ${varGlobalCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varGlobalCustomPolicies.libAssignment.properties.displayName} ${varGlobalCustomPolicies.version}'
     parPolicyAssignmentName: take('${varGlobalCustomPolicies.libAssignment.name}${varGlobalCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
     parPolicyAssignmentIdentityType: 'SystemAssigned'
@@ -180,7 +183,7 @@ module modPolicyAssignmentDecommissionedCustom '../../dependencies/infra-as-code
     parPolicyAssignmentDescription: '${varDecommissionedCustomPolicies.libAssignment.properties.description} ${varDecommissionedCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varDecommissionedCustomPolicies.libAssignment.properties.displayName} ${varDecommissionedCustomPolicies.version}'
     parPolicyAssignmentName: take('${varDecommissionedCustomPolicies.libAssignment.name}${varDecommissionedCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
     parPolicyAssignmentIdentityType: 'SystemAssigned'
@@ -197,7 +200,7 @@ module modPolicyAssignmentLandingZoneCustom '../../dependencies/infra-as-code/bi
     parPolicyAssignmentDescription: '${varLandingZonesPolicies.libAssignment.properties.description} ${varLandingZonesPolicies.version}'
     parPolicyAssignmentDisplayName: '${varLandingZonesPolicies.libAssignment.properties.displayName} ${varLandingZonesPolicies.version}'
     parPolicyAssignmentName: take('${varLandingZonesPolicies.libAssignment.name}${varLandingZonesPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
     parPolicyAssignmentIdentityType: 'SystemAssigned'
@@ -214,7 +217,7 @@ module modPolicyAssignmentConfidentialCorpCustom_Confidential '../../dependencie
     parPolicyAssignmentDescription: '${varConfidentialCustomPolicies.libAssignment.properties.description} ${varConfidentialCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varConfidentialCustomPolicies.libAssignment.properties.displayName} ${varConfidentialCustomPolicies.version}'
     parPolicyAssignmentName: take('${varConfidentialCustomPolicies.libAssignment.name}${varConfidentialCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -233,7 +236,7 @@ module modPolicyAssignmentConfidentialCorpCustom_Corp '../../dependencies/infra-
     parPolicyAssignmentDescription: '${varCorpCustomPolicies.libAssignment.properties.description} ${varCorpCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varCorpCustomPolicies.libAssignment.properties.displayName} ${varCorpCustomPolicies.version}'
     parPolicyAssignmentName: take('${varCorpCustomPolicies.libAssignment.name}${varCorpCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -253,7 +256,7 @@ module modPolicyAssignmentConfidentialOnlineCustom_Confidential '../../dependenc
     parPolicyAssignmentDescription: '${varConfidentialCustomPolicies.libAssignment.properties.description} ${varConfidentialCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varConfidentialCustomPolicies.libAssignment.properties.displayName} ${varConfidentialCustomPolicies.version}'
     parPolicyAssignmentName: take('${varConfidentialCustomPolicies.libAssignment.name}${varConfidentialCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -273,7 +276,7 @@ module modPolicyAssignmentConfidentialOnlineCustom_Online '../../dependencies/in
     parPolicyAssignmentDescription: '${varOnlineCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varOnlineCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}'
     parPolicyAssignmentName: take('${varOnlineCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -293,7 +296,7 @@ module modPolicyAssignmentCorpCustom '../../dependencies/infra-as-code/bicep/mod
     parPolicyAssignmentDescription: '${varCorpCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varCorpCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}'
     parPolicyAssignmentName: take('${varCorpCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -313,7 +316,7 @@ module modPolicyAssignmentOnlineCustom '../../dependencies/infra-as-code/bicep/m
     parPolicyAssignmentDescription: '${varOnlineCustomPolicies.libAssignment.properties.description} ${varOnlineCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varOnlineCustomPolicies.libAssignment.properties.displayName} ${varOnlineCustomPolicies.version}'
     parPolicyAssignmentName: take('${varOnlineCustomPolicies.libAssignment.name}${varOnlineCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -333,7 +336,7 @@ module modPolicyAssignmentPlatformCustom '../../dependencies/infra-as-code/bicep
     parPolicyAssignmentDescription: '${varPlatformCustomPolicies.libAssignment.properties.description} ${varPlatformCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varPlatformCustomPolicies.libAssignment.properties.displayName} ${varPlatformCustomPolicies.version}'
     parPolicyAssignmentName: take('${varPlatformCustomPolicies.libAssignment.name}${varPlatformCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -353,7 +356,7 @@ module modPolicyAssignmentConnectivityCustom '../../dependencies/infra-as-code/b
     parPolicyAssignmentDescription: '${varConnectivityCustomPolicies.libAssignment.properties.description} ${varConnectivityCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varConnectivityCustomPolicies.libAssignment.properties.displayName} ${varConnectivityCustomPolicies.version}'
     parPolicyAssignmentName: take('${varConnectivityCustomPolicies.libAssignment.name}${varConnectivityCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -373,7 +376,7 @@ module modPolicyAssignmentIdentityCustom '../../dependencies/infra-as-code/bicep
     parPolicyAssignmentDescription: '${varIdentityCustomPolicies.libAssignment.properties.description} ${varIdentityCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varIdentityCustomPolicies.libAssignment.properties.displayName} ${varIdentityCustomPolicies.version}'
     parPolicyAssignmentName: take('${varIdentityCustomPolicies.libAssignment.name}${varIdentityCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -393,7 +396,7 @@ module modPolicyAssignmentManagementCustom '../../dependencies/infra-as-code/bic
     parPolicyAssignmentDescription: '${varManagementCustomPolicies.libAssignment.properties.description} ${varManagementCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varManagementCustomPolicies.libAssignment.properties.displayName} ${varManagementCustomPolicies.version}'
     parPolicyAssignmentName: take('${varManagementCustomPolicies.libAssignment.name}${varManagementCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds
@@ -413,7 +416,7 @@ module modPolicyAssignmentSandboxCustom '../../dependencies/infra-as-code/bicep/
     parPolicyAssignmentDescription: '${varSandboxCustomPolicies.libAssignment.properties.description} ${varSandboxCustomPolicies.version}'
     parPolicyAssignmentDisplayName: '${varSandboxCustomPolicies.libAssignment.properties.displayName} ${varSandboxCustomPolicies.version}'
     parPolicyAssignmentName: take('${varSandboxCustomPolicies.libAssignment.name}${varSandboxCustomPolicies.version}', 24)
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs: []
     parPolicyAssignmentIdentityRoleAssignmentsSubs: parIdentityRoleAssignmentsSubs
     parPolicyAssignmentIdentityRoleDefinitionIds: parRoleDefinitionIds

diff --git a/modules/compliance/customerPolicySetAssignments.bicep b/modules/compliance/customerPolicySetAssignments.bicep
@@ -30,6 +30,9 @@ param parPolicySetAssignmentDisplayName string
 @description('descritpion for the policy set assignment')
 param parPolicySetAssignmentDescription string
 
+@description('Enforcement mode for all policy assignments.')
+param parPolicyAssignmentEnforcementMode string = 'Default'
+
 var varRootManagementGroupId = '${parDeploymentPrefix}${parDeploymentSuffix}'
 var varRbacRoleDefinitionIds = {
   owner: '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
@@ -51,7 +54,7 @@ module modUserPolicyAssignment '../../dependencies/infra-as-code/bicep/modules/p
     parPolicyAssignmentIdentityRoleDefinitionIds: [
       varRbacRoleDefinitionIds.owner
     ]
-    parPolicyAssignmentEnforcementMode: 'Default'
+    parPolicyAssignmentEnforcementMode: parPolicyAssignmentEnforcementMode
     parTelemetryOptOut: true
   }
 }