Time for new exciting news about AMBA-ALZ pattern!

Hello AMBA-ALZ customers,

We are super excited to share some good news happening since our last blog post Exciting News: AMBA Portal Accelerator is now Generally Available!.

We last updated you on January 2025 with the AMBA-ALZ portal accelerator reaching GA. Since then, lots of improvements and new features have been added.

The following is a summary of what we've been working on:

• Exclude Management Groups and/or Subscriptions from Policy Assignment
• Additional alerts added to the Web initiative
• Support for protecting log-search alert queries using Customer-Managed Key protected linked storage accounts
• ARG query optimization for Log-search alerts
• Exclusion of logical volumes from alerts
• Several bugfix and tool optimizations
• Documentation update
• Additional unit test to improve robustness and consistency of our code

Exclude Management Groups and/or Subscriptions from Policy Assignment

The primary benefit of the AMBA-ALZ pattern is its capability to facilitate monitoring at-scale. To enhance this feature, we have introduced the option for customers to exclude certain parent level resources, such as Management Groups or Subscriptions, on a large scale.

In release 2025-04-03, the exclusion feature for policy assignments has been enabled. This functionality utilizes new parameters that allow customers to specify either the Management Group ID or Subscription ID, or both.

Why this new feature? Easy answer: because together with allowing the enablement at-scale, we should give the possibility to exclude at-scale. Imagine that one management group has children (management groups or subscriptions) that you do not want to include in the policy assignment. Other than going to the policy assignment and excluding the targets manually, you can configure them to be excluded during the AMBA-ALZ deployment. For example, if certain management groups and/or subscriptions should not follow the policy assignment due to different compliance requirements, this feature provides a streamlined way to manage exclusions efficiently.

Additional alerts added to the Web initiative

The web initiative targets the Landing Zones management group and its subgroups, including alert resources sending data to a log analytics workspace. Therefore, we have decided to add some Log Analytics and Application Insight related alerts to ensure that they do not encounter issues or get removed. Both cases translate into Management and Operations issues as well as into data loss preventing the correct monitoring of infrastructure and workloads. The additional alerts added in release 2025-03-03, are:

• LA Workspace Daily Cap Limit Reached Alert
• Activity Log LA Workspace Regenerate Key Alert
• Activity Log LA Workspace Delete Alert

Protect your log-search alert queries using Customer-Managed Key protected linked storage accounts

The query language used in Log Analytics is expressive and can contain sensitive information in either comments, or query syntax or both. Despite all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK), some organizations might require that such information is kept protected under Customer-managed key policy. For this reason, in release 2025-03-03, we allowed our customers to save queries encrypted with customer-managed key. Leveraging the feature of Azure Monitor that enables you to store saved queries and log search alerts encrypted with your key in your own Storage Account when linked to your workspace, we enhanced AMBA-ALZ standards to allow for more protection.

ARG query optimization

ARG queries are used in log-search alerts to enrich the capabilities of Azure Monitor. Thanks to ARG queries, it is possible to look for specific resource tags that allow the following features:

• Alert thresholds override for specific resources (see: https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/HowTo/Threshold-Override/)
• Exclusion of logical volumes (see: https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/HowTo/Exclude-Logical-Volumes/)
• Targeting only virtual machines that are not part of scale sets
• Disable the alerts for specific resources (see: https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/HowTo/Disabling-Policies/#monitordisable-parameter)

In 2025-02-05 we revisited the initial release and optimized to reduce the number of ARG calls within the same query. This was super helpful in speeding up query execution, using less Azure resources and mitigating reducing ARG query throttling problems.

Exclusion of logical volumes

As by design in Azure Monitor, the concept of dynamic resource exclusion from alerts, does not exist in the UI. Despite it is possible to hard code resources Although it is possible to hard code resources to be excluded in the KQL query, this is not dynamic and would require editing the query every time a new resource needs to be excluded. Thanks to the https://learn.microsoft.com/en-us/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy , in release 2025-02-05 we introduced a mechanism to look for specific tag whose value will be used as the new threshold if specified. This dynamic approach allows customers to use alerts with their default thresholds and make an override where necessary for specific resources without editing the alert queries.

Bugfix and tool optimization

Thanks to our customers' feedback, several bugs have been reported and promptly fixed spanning several areas.

For instance, missing managed identity role assignment for Web initiative, or template validation and resource group name customization issues with the AMBA-ALZ portal accelerator have been fixed.

Maintenance scripts have been consolidated catering for the following scenarios:

• Removal of the entire AMBA-ALZ pattern
• Removal of notification assets
• Removal of alerts
• Removal of orphaned alerts
• Removal of both policy and roles assignments
• Removal of both policy initiatives and policy definitions

Documentation update

Our official documentation about the ALZ pattern (see: https://aka.ms/amba/alz) has been enhanced to bring more clarity, more features, more Known Issues and FAQ scenarios. All this, to ease customer adoption of AMBA-ALZ patterns and help them out to get the most out of Azure Monitor.

Increased code robustness and consistency

Behind any feature release, any bugfix or any code optimization, there are lots of processes ensuring code integrity and consistency. Some of these processes are executed as Unit Test. With a view to improvement, we have added more unit tests aiming at preventing code errors or inconsistencies as much as possible.