Policies are not getting assigned when I tried to deploy them

[guidovanbrakel]

Describe the bug Policies are not getting assigned when I tried to deploy them

To Reproduce Deploy EPAC

Expected behavior A clear and concise description of what you expected to happen.

EPAC Version 10.6.0

=================================================================================================== Summary

Policy counts: 158 unchanged 0 changes Policy Set counts: 45 unchanged 0 changes Policy Assignment counts: 0 unchanged 4 changes: new = 0 update = 0 replace = 0 delete = 4 Role Assignment counts: 8 changes: add = 0 update = 0 remove = 8

Output plan(s); if any, will be written to the following file(s): Policy resource deployment required; writing Policy plan file 'Output/plans-EPAC-PROD/policy-plan.json' Role assignment changes required; writing Policy plan file 'Output/plans-EPAC-PROD/roles-plan.json'

[anwather]

Can you please provide any error messages, global-settings.json file and an example assignment? There isn't a lot to go on in your description. Generally if policies aren't being assigned it is due to the scope in the assignment file

Get Outlook for Androidhttps://aka.ms/AAb9ysg

---

From: guidovanbrakel @.> Sent: Saturday, September 21, 2024 6:05:48 PM To: Azure/enterprise-azure-policy-as-code @.> Cc: Subscribed @.***> Subject: [Azure/enterprise-azure-policy-as-code] Policies are not getting assigned when I tried to deploy them (Issue #751)

Describe the bug Policies are not getting assigned when I tried to deploy them

To Reproduce Deploy EPAC

Expected behavior A clear and concise description of what you expected to happen.

EPAC Version 10.6.0

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/enterprise-azure-policy-as-code/issues/751 or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACWCJVX73OPGK6WW6ZC3HYTZXUSFZBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLKRSG4ZDKOJYHE2DOOFENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWSHI4TVMWSG4YLNMWXHOYLUMNUF6YLDORUXM2LUPGWHG5LCNJSWG5C7OR4XAZNFJFZXG5LFUZ2G64DJMNZZHAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGI2TIMBQGYZTOOBXQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSG4ZDKOJYHE2DOOFHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you are subscribed to this thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[guidovanbrakel]

Hello @anwather

This is how my global settings look like:

{
    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
    "pacOwnerId": "bd715eb8-36d2-4d33-8db0-505e04c0e4aa",
    "pacEnvironments": [
        {
            "pacSelector": "EPAC-DEV",
            "cloud": "AzureCloud",
            "tenantId": "xxx",
            "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/xx",
            "desiredState": { // [optional]
                "strategy": "full", // default full
                "keepDfcSecurityAssignments": true, // default false
                "doNotDisableDeprecatedPolicies": false
            },
            "globalNotScopes": [],
            "managedIdentityLocation": "eastus"
        },
        {
            "pacSelector": "EPAC-PROD",
            "cloud": "AzureCloud",
            "tenantId": "xx",
            "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/xx",
            "desiredState": { // [optional]
                "strategy": "full", // default full
                "keepDfcSecurityAssignments": true, // default false // default full
                "doNotDisableDeprecatedPolicies": false
            },
            "globalNotScopes": [],
            "managedIdentityLocation": "eastus"
        }
    ]
}

And this is an assigment file, they are alz default

{
    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
    "nodeName": "/Corp/",
    "scope": {
        "tenant1": [ // Replace with your EPAC environment name and validate the management group listed below exists
            "/providers/Microsoft.Management/managementGroups/Guido"
        ]
    },
    "children": [
        {
            "nodeName": "Networking/",
            "children": [
                {
                    "nodeName": "PublicEndpoint",
                    "assignment": {
                        "name": "Deny-Public-Endpoints",
                        "displayName": "Public network access should be disabled for PaaS services",
                        "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints"
                    },
                    "definitionEntry": {
                        "policySetName": "Deny-PublicPaaSEndpoints",
                        "displayName": "Deny Public PaaS Endpoints"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Public network access must be disabled for PaaS services."
                        }
                    ]
                },
                {
                    "nodeName": "DNSZones",
                    "assignment": {
                        "name": "Deploy-Private-DNS-Zones",
                        "displayName": "Configure Azure PaaS services to use private DNS zones",
                        "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones."
                    },
                    "definitionEntry": {
                        "policySetName": "Deploy-Private-DNS-Zones",
                        "displayName": "Deploy Private DNS Zones"
                    },
                    "parameters": {
                        // Replace gvb12-- with a value similar to 
                        // "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myorg-dns/providers/Microsoft.Network/privateDnsZones/"
                        // but modify to reference your connectivity subscription.
                        // Also update additionalRoleAssignments block to ensure your connectivity subscription Id is referenced.
                        // If you don't require this then remove the assignment block.
                        "azureFilePrivateDnsZoneId": "gvb12--privatelink.afs.azure.net",
                        "azureAutomationWebhookPrivateDnsZoneId": "gvb12--privatelink.azure-automation.net",
                        "azureAutomationDSCHybridPrivateDnsZoneId": "gvb12--privatelink.azure-automation.net",
                        "azureCosmosSQLPrivateDnsZoneId": "gvb12--privatelink.documents.azure.com",
                        "azureCosmosMongoPrivateDnsZoneId": "gvb12--privatelink.mongo.cosmos.azure.com",
                        "azureCosmosCassandraPrivateDnsZoneId": "gvb12--privatelink.cassandra.cosmos.azure.com",
                        "azureCosmosGremlinPrivateDnsZoneId": "gvb12--privatelink.gremlin.cosmos.azure.com",
                        "azureCosmosTablePrivateDnsZoneId": "gvb12--privatelink.table.cosmos.azure.com",
                        "azureDataFactoryPrivateDnsZoneId": "gvb12--privatelink.datafactory.azure.net",
                        "azureDataFactoryPortalPrivateDnsZoneId": "gvb12--privatelink.adf.azure.com",
                        "azureDatabricksPrivateDnsZoneId": "gvb12--privatelink.azuredatabricks.net",
                        "azureHDInsightPrivateDnsZoneId": "gvb12--privatelink.azurehdinsight.net",
                        "azureMigratePrivateDnsZoneId": "gvb12--privatelink.prod.migration.windowsazure.com",
                        "azureStorageBlobPrivateDnsZoneId": "gvb12--privatelink.blob.core.windows.net",
                        "azureStorageBlobSecPrivateDnsZoneId": "gvb12--privatelink.blob.core.windows.net",
                        "azureStorageQueuePrivateDnsZoneId": "gvb12--privatelink.queue.core.windows.net",
                        "azureStorageQueueSecPrivateDnsZoneId": "gvb12--privatelink.queue.core.windows.net",
                        "azureStorageFilePrivateDnsZoneId": "gvb12--privatelink.file.core.windows.net",
                        "azureStorageStaticWebPrivateDnsZoneId": "gvb12--privatelink.web.core.windows.net",
                        "azureStorageStaticWebSecPrivateDnsZoneId": "gvb12--privatelink.web.core.windows.net",
                        "azureStorageDFSPrivateDnsZoneId": "gvb12--privatelink.dfs.core.windows.net",
                        "azureStorageDFSSecPrivateDnsZoneId": "gvb12--privatelink.dfs.core.windows.net",
                        "azureSynapseSQLPrivateDnsZoneId": "gvb12--privatelink.sql.azuresynapse.net",
                        "azureSynapseSQLODPrivateDnsZoneId": "gvb12--privatelink.sql.azuresynapse.net",
                        "azureSynapseDevPrivateDnsZoneId": "gvb12--privatelink.dev.azuresynapse.net",
                        "azureMediaServicesKeyPrivateDnsZoneId": "gvb12--privatelink.media.azure.net",
                        "azureMediaServicesLivePrivateDnsZoneId": "gvb12--privatelink.media.azure.net",
                        "azureMediaServicesStreamPrivateDnsZoneId": "gvb12--privatelink.media.azure.net",
                        "azureMonitorPrivateDnsZoneId1": "gvb12--privatelink.monitor.azure.com",
                        "azureMonitorPrivateDnsZoneId2": "gvb12--privatelink.oms.opinsights.azure.com",
                        "azureMonitorPrivateDnsZoneId3": "gvb12--privatelink.ods.opinsights.azure.com",
                        "azureMonitorPrivateDnsZoneId4": "gvb12--privatelink.agentsvc.azure-automation.net",
                        "azureMonitorPrivateDnsZoneId5": "gvb12--privatelink.blob.core.windows.net",
                        "azureWebPrivateDnsZoneId": "gvb12--privatelink.webpubsub.azure.com",
                        "azureBatchPrivateDnsZoneId": "gvb12--privatelink.batch.azure.com",
                        "azureAppPrivateDnsZoneId": "gvb12--privatelink.azconfig.io",
                        "azureAsrPrivateDnsZoneId": "gvb12--privatelink.siterecovery.windowsazure.com",
                        "azureIotPrivateDnsZoneId": "gvb12--privatelink.azure-devices-provisioning.net",
                        "azureKeyVaultPrivateDnsZoneId": "gvb12--privatelink.vaultcore.azure.net",
                        "azureSignalRPrivateDnsZoneId": "gvb12--privatelink.service.signalr.net",
                        "azureAppServicesPrivateDnsZoneId": "gvb12--privatelink.azurewebsites.net",
                        "azureEventGridTopicsPrivateDnsZoneId": "gvb12--privatelink.eventgrid.azure.net",
                        "azureDiskAccessPrivateDnsZoneId": "gvb12--privatelink.blob.core.windows.net",
                        "azureCognitiveServicesPrivateDnsZoneId": "gvb12--privatelink.cognitiveservices.azure.com",
                        "azureIotHubsPrivateDnsZoneId": "gvb12--privatelink.azure-devices.net",
                        "azureEventGridDomainsPrivateDnsZoneId": "gvb12--privatelink.eventgrid.azure.net",
                        "azureRedisCachePrivateDnsZoneId": "gvb12--privatelink.redis.cache.windows.net",
                        "azureAcrPrivateDnsZoneId": "gvb12--privatelink.azurecr.io",
                        "azureEventHubNamespacePrivateDnsZoneId": "gvb12--privatelink.servicebus.windows.net",
                        "azureMachineLearningWorkspacePrivateDnsZoneId": "gvb12--privatelink.api.azureml.ms",
                        "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": "gvb12--privatelink.notebooks.azure.net",
                        "azureServiceBusNamespacePrivateDnsZoneId": "gvb12--privatelink.servicebus.windows.net",
                        "azureCognitiveSearchPrivateDnsZoneId": "gvb12--privatelink.search.windows.net",
                        "azureBotServicePrivateDnsZoneId": "gvb12--privatelink.directline.botframework.com",
                        "azureManagedGrafanaWorkspacePrivateDnsZoneId": "gvb12--privatelink.grafana.azure.com",
                        "azureVirtualDesktopHostpoolPrivateDnsZoneId": "gvb12--privatelink.wvd.microsoft.com",
                        "azureVirtualDesktopWorkspacePrivateDnsZoneId": "gvb12--privatelink.wvd.microsoft.com",
                        "azureIotDeviceupdatePrivateDnsZoneId": "gvb12--privatelink.azure-devices.net",
                        "azureArcGuestconfigurationPrivateDnsZoneId": "gvb12--privatelink.guestconfiguration.azure.com",
                        "azureArcHybridResourceProviderPrivateDnsZoneId": "gvb12--privatelink.his.arc.azure.com",
                        "azureArcKubernetesConfigurationPrivateDnsZoneId": "gvb12--privatelink.dp.kubernetesconfiguration.azure.com",
                        "azureIotCentralPrivateDnsZoneId": "gvb12--privatelink.azureiotcentral.com",
                        "azureStorageTablePrivateDnsZoneId": "gvb12--privatelink.table.core.windows.net",
                        "azureStorageTableSecondaryPrivateDnsZoneId": "gvb12--privatelink.table.core.windows.net",
                        "azureSiteRecoveryBackupPrivateDnsZoneID": "gvb12--privatelink.--REGION-SHORT-CODE--.backup.windowsazure.com",
                        "azureSiteRecoveryBlobPrivateDnsZoneID": "gvb12--privatelink.blob.core.windows.net",
                        "azureSiteRecoveryQueuePrivateDnsZoneID": "gvb12--privatelink.queue.core.windows.net"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Azure PaaS services must use private DNS zones."
                        }
                    ],
                    "additionalRoleAssignments": {
                        "*": [
                            {
                                "roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
                                "scope": "/subscriptions/a0e83f75-c464-4159-9fb4-83243e29e0be" // Replace with your connectivity subscription Id
                            }
                        ]
                    }
                },
                {
                    "nodeName": "NoPublicIP",
                    "assignment": {
                        "name": "Deny-Public-IP-On-NIC",
                        "description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.",
                        "displayName": "Deny network interfaces having a public IP associated"
                    },
                    "definitionEntry": {
                        "policyId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Network interfaces must not have a public IP associated."
                        }
                    ]
                },
                {
                    "nodeName": "DenyNetworking",
                    "assignment": {
                        "name": "Deny-HybridNetworking",
                        "description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.",
                        "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources"
                    },
                    "definitionEntry": {
                        "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
                        "displayName": "Not allowed resource types"
                    },
                    "parameters": {
                        "listOfResourceTypesNotAllowed": [
                            "microsoft.network/expressroutecircuits",
                            "microsoft.network/expressroutegateways",
                            "microsoft.network/expressrouteports",
                            "microsoft.network/virtualwans",
                            "microsoft.network/virtualhubs",
                            "microsoft.network/vpngateways",
                            "microsoft.network/p2svpngateways",
                            "microsoft.network/vpnsites",
                            "microsoft.network/virtualnetworkgateways"
                        ]
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "vWAN/ER/VPN gateway resources must not be deployed in the Corp landing zone."
                        }
                    ]
                },
                {
                    "nodeName": "PLink",
                    "assignment": {
                        "name": "Audit-PeDnsZones",
                        "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.",
                        "displayName": "Audit Private Link Private DNS Zone resources"
                    },
                    "definitionEntry": {
                        "policyName": "Audit-PrivateLinkDnsZones"
                    },
                    "parameters": {
                        // Replace the ---location--- with the location of the Private Link Private DNS Zone resource
                        // Replace the ---short-code-location--- with the location short code of the Private Link Private DNS Zone resource e.g. "ae" for Australia East
                        "privateLinkDnsZones": [
                            "privatelink.---short-code-location---.backup.windowsazure.com",
                            "privatelink.---location---.azmk8s.io",
                            "privatelink.---location---.batch.azure.com",
                            "privatelink.---location---.kusto.windows.net",
                            "privatelink.adf.azure.com",
                            "privatelink.afs.azure.net",
                            "privatelink.agentsvc.azure-automation.net",
                            "privatelink.analysis.windows.net",
                            "privatelink.api.azureml.ms",
                            "privatelink.azconfig.io",
                            "privatelink.azure-api.net",
                            "privatelink.azure-automation.net",
                            "privatelink.azurecr.io",
                            "privatelink.azure-devices.net",
                            "privatelink.azure-devices-provisioning.net",
                            "privatelink.azuredatabricks.net",
                            "privatelink.azurehdinsight.net",
                            "privatelink.azurehealthcareapis.com",
                            "privatelink.azureiotcentral.com",
                            "privatelink.azurestaticapps.net",
                            "privatelink.azuresynapse.net",
                            "privatelink.azurewebsites.net",
                            "privatelink.batch.azure.com",
                            "privatelink.blob.core.windows.net",
                            "privatelink.cassandra.cosmos.azure.com",
                            "privatelink.cognitiveservices.azure.com",
                            "privatelink.database.windows.net",
                            "privatelink.datafactory.azure.net",
                            "privatelink.dev.azuresynapse.net",
                            "privatelink.dfs.core.windows.net",
                            "privatelink.dicom.azurehealthcareapis.com",
                            "privatelink.digitaltwins.azure.net",
                            "privatelink.directline.botframework.com",
                            "privatelink.documents.azure.com",
                            "privatelink.dp.kubernetesconfiguration.azure.com",
                            "privatelink.eventgrid.azure.net",
                            "privatelink.file.core.windows.net",
                            "privatelink.grafana.azure.com",
                            "privatelink.gremlin.cosmos.azure.com",
                            "privatelink.guestconfiguration.azure.com",
                            "privatelink.his.arc.azure.com",
                            "privatelink.kubernetesconfiguration.azure.com",
                            "privatelink.managedhsm.azure.net",
                            "privatelink.mariadb.database.azure.com",
                            "privatelink.media.azure.net",
                            "privatelink.mongo.cosmos.azure.com",
                            "privatelink.monitor.azure.com",
                            "privatelink.mysql.database.azure.com",
                            "privatelink.notebooks.azure.net",
                            "privatelink.ods.opinsights.azure.com",
                            "privatelink.oms.opinsights.azure.com",
                            "privatelink.pbidedicated.windows.net",
                            "privatelink.postgres.database.azure.com",
                            "privatelink.prod.migration.windowsazure.com",
                            "privatelink.purview.azure.com",
                            "privatelink.purviewstudio.azure.com",
                            "privatelink.queue.core.windows.net",
                            "privatelink.redis.cache.windows.net",
                            "privatelink.redisenterprise.cache.azure.net",
                            "privatelink.search.windows.net",
                            "privatelink.service.signalr.net",
                            "privatelink.servicebus.windows.net",
                            "privatelink.siterecovery.windowsazure.com",
                            "privatelink.sql.azuresynapse.net",
                            "privatelink.table.core.windows.net",
                            "privatelink.table.cosmos.azure.com",
                            "privatelink.tip1.powerquery.microsoft.com",
                            "privatelink.token.botframework.com",
                            "privatelink.vaultcore.azure.net",
                            "privatelink.web.core.windows.net",
                            "privatelink.webpubsub.azure.com",
                            "privatelink.wvd.microsoft.com",
                            "privatelink-global.wvd.microsoft.com"
                        ]
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Private Link Private DNS Zone resources must be deployed in the Corp landing zone."
                        }
                    ]
                }
            ]
        }
    ]
}

[anwather]

Ok - you need to check that assignment file - there are comments in there on what fields to update. For instance under scope - you should replace that with EPAC-PROD or EPAC-DEV and update the management group. That is what controls whether the assignment will be deployed or not.

"scope": {
   "EPAC-DEV": [
        "/providers/Microsoft.Management/managementGroups/Guido"
]

[guidovanbrakel]

Ok - you need to check that assignment file - there are comments in there on what fields to update. For instance under scope - you should replace that with EPAC-PROD or EPAC-DEV and update the management group. That is what controls whether the assignment will be deployed or not.

"scope": {
   "EPAC-DEV": [
        "/providers/Microsoft.Management/managementGroups/Guido"
]

Thanks, I'm now getting these errors: When I run Deploy-PolicyPlan -DefinitionsRootFolder .\Definitions -InputFolder .\Output

Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring'"

Full error:

===================================================================================================
Processing Policy Assignments JSON files in folder 'Definitions/policyAssignments'
===================================================================================================
Number of Policy Assignment files = 10
New 'Virtual networks should be protected by Azure DDoS Network Protection' at /managementGroups/Guido
    add role Network Contributor at /managementGroups/Guido
New 'Public network access should be disabled for PaaS services' at /managementGroups/Guido
New 'Configure Azure PaaS services to use private DNS zones' at /managementGroups/Guido
    add role Network Contributor at /managementGroups/Guido
    add role Private DNS Zone Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Network Contributor at /subscriptions/a0e83f75-c464-4159-9fb4-83243e29e0be
New 'Deny network interfaces having a public IP associated' at /managementGroups/Guido
New 'Deny the deployment of vWAN/ER/VPN gateway resources' at /managementGroups/Guido
New 'Audit Private Link Private DNS Zone resources' at /managementGroups/Guido
New 'Enforce ALZ Decommissioned Guardrails' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
New 'Deny the creation of public IP' at /managementGroups/Guido
New 'Management port access from the Internet should be blocked' at /managementGroups/Guido
New 'Subnets should have a Network Security Group' at /managementGroups/Guido
New 'Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role Backup Contributor at /managementGroups/Guido
New 'Kubernetes clusters should not allow container privilege escalation' at /managementGroups/Guido
New 'Kubernetes cluster should not allow privileged containers' at /managementGroups/Guido
New 'Kubernetes clusters should be accessible only over HTTPS' at /managementGroups/Guido
New 'Deploy Azure Policy Add-on to Azure Kubernetes Service clusters' at /managementGroups/Guido
    add role Azure Kubernetes Service Contributor Role at /managementGroups/Guido
    add role Azure Kubernetes Service Policy Add-on Deployment at /managementGroups/Guido
New 'Network interfaces should disable IP forwarding' at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg'"
New 'Subnets should have a Network Security Group' at /managementGroups/Guido
New 'Virtual networks should be protected by Azure DDoS Network Protection' at /managementGroups/Guido
    add role Network Contributor at /managementGroups/Guido
New 'Web Application Firewall (WAF) should be enabled for Application Gateway' at /managementGroups/Guido
New 'Secure transfer to storage accounts should be enabled' at /managementGroups/Guido
New 'Configure SQL servers to have auditing enabled to Log Analytics workspace' at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role SQL Security Manager at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup'"
New 'Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role Backup Contributor at /managementGroups/Guido
New 'Enforce recommended guardrails for Azure Key Vault' at /managementGroups/Guido
New 'Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit' at /managementGroups/Guido
    add role SQL Managed Instance Contributor at /managementGroups/Guido
    add role Website Contributor at /managementGroups/Guido
    add role Storage Account Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role SQL Server Contributor at /managementGroups/Guido
New 'Deploy Threat Detection on SQL servers' at /managementGroups/Guido
    add role SQL Security Manager at /managementGroups/Guido
New 'Deploy TDE on SQL servers' at /managementGroups/Guido
    add role SQL DB Contributor at /managementGroups/Guido
New 'Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deny-MgmtPorts-Internet'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deny-MgmtPorts-Internet'"
New 'Management port access from the Internet should be blocked' at /managementGroups/Guido
New 'Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.' at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
New 'Enable Azure Monitor for VMs' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
New 'Enable Azure Monitor for Virtual Machine Scale Sets' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
New 'Enable Azure Monitor for Hybrid Virtual Machines' at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
New 'Enable ChangeTracking and Inventory for virtual machines' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
New 'Enable ChangeTracking and Inventory for virtual machine scale sets' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
New 'Enable ChangeTracking and Inventory for Arc-enabled virtual machines' at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
New 'Enforce enhanced recovery and backup policies' at /managementGroups/Guido
New 'Configure Log Analytics workspace and automation account to centralize logs and monitoring' at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
New 'Enforce recommended guardrails for Azure Key Vault' at /managementGroups/Guido
New 'Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring'"
New 'Enable Azure Monitor for VMs' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring'"
New 'Enable Azure Monitor for Virtual Machine Scale Sets' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-vmHybr-Monitoring'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-vmHybr-Monitoring'"
New 'Enable Azure Monitor for Hybrid Virtual Machines' at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
New 'Do not allow deletion of the User Assigned Managed Identity used by AMA' at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-ChangeTrack'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-ChangeTrack'"
New 'Enable ChangeTracking and Inventory for virtual machines' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-ChangeTrack'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-ChangeTrack'"
New 'Enable ChangeTracking and Inventory for virtual machine scale sets' at /managementGroups/Guido
    add role Virtual Machine Contributor at /managementGroups/Guido
    add role User Access Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
MethodInvocationException: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:254
Line |
 254 |                  $null = $Assignments.new.Add($id, $assignment)
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Add" with "2" argument(s): "Item has already been added. Key in dictionary:
     | '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-vmArc-ChangeTrack'  Key being added: '/providers/Microsoft.Management/managementGroups/Guido/providers/Microsoft.Authorization/policyAssignments/Deploy-vmArc-ChangeTrack'"
New 'Enable ChangeTracking and Inventory for Arc-enabled virtual machines' at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Log Analytics Contributor at /managementGroups/Guido
    add role Monitoring Contributor at /managementGroups/Guido
New 'Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.' at /managementGroups/Guido
    add role Azure Connected Machine Resource Administrator at /managementGroups/Guido
    add role Contributor at /managementGroups/Guido
New 'Enforce enhanced recovery and backup policies' at /managementGroups/Guido
Write-Error: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\internal\functions\Build-AssignmentPlan.ps1:90
Line |
  90 |  …       $hasErrors, $assignmentsList = Build-AssignmentDefinitionNode `
     |                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     |     Node //Root/: scope '/providers/Microsoft.Management/managementGroups/intermediatelevelmanagementgroup' is
     | not defined in the ScopeTable.
Write-Error: C:\Users\r01_gvbrakel\OneDrive - RAM Infotechnology\Documents\PowerShell\Modules\EnterprisePolicyAsCode\10.6.0\functions\Build-DeploymentPlans.ps1:320
Line |
 320 |          Build-AssignmentPlan `
     |          ~~~~~~~~~~~~~~~~~~~~~~
     | Assignment definitions content errors