The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
The policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security) is missing from the policy list under Landing Zones. Although a couple of the policies in this initiative are located as single policies under this list (see point 2 and 4).
The policy "Deploy-SQL-TDE" ("displayName": "Deploy TDE on SQL servers") is the built-in policy "Deploy SQL DB transparent data encryption".
This built-in policy is already part of the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security) and should be removed as a single policy from the policy list under Landing Zones.
1
The policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security) is missing from the policy list under Landing Zones. Although a couple of the policies in this initiative are located as single policies under this list (see point 2 and 4).
Only information about this initiative is found here: https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/azpol.md#provide-comprehensive-security-for-sql-databases
2
The policy "Deploy-SQL-TDE" ("displayName": "Deploy TDE on SQL servers") is the built-in policy "Deploy SQL DB transparent data encryption". This built-in policy is already part of the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security) and should be removed as a single policy from the policy list under Landing Zones.
3
Deprecation of https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html which you have as an example here https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#preview-and-deprecated-policies This should be replaced in the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security)
4
Add this built-in policy "Configure SQL servers to have auditing enabled to Log Analytics workspace" to the policy initiative "Deploy SQL Database built-in SQL security configuration" (Deploy-Sql-Security). This built-in policy is currently part of the policy list under Landing Zones.
5
Improve the built-in policy "Configure Azure Defender to be enabled on SQL servers" with the same parameters as "Deploy SQL Database security Alert Policies configuration with email admin accounts" (Deploy-Sql-SecurityAlertPolicies) with the purpose of deprecating the ALZ custom policy.