jtracey93
commented
7 months ago Hey @vegazbabz, this assignment is made twice so it does not apply to the sandbox and decommissioned scopes, just like a number of other policies.
As for the managed HSM policy, that a good ask, could you create a separate issue/ask for that one using the new github issue form https://github.com/Azure/Enterprise-Scale/issues/new?assignees=&labels=feature&projects=&template=FEATURE_REQUEST.md&title=Feature+Request
Thanks
It does not make sense to have “Enforce recommended guardrails for Azure Key Vault” (Enforce-Guardrails-KeyVault) on both Platform MG and Landing Zone MG. Recommend it to be moved to intermediate root – this will give you one policy, which is much cleaner from a compliance overview perspective. The more policies, the messier the compliance will be and more administrative overhead.
To expand on this, there should be an initiative for (Managed) HSM as well, given this is the recommended method of storing keys for maximum control (and compliance).