Hello AMBA-ALZ customers,
after some time since our last Time for new exciting news about AMBA-ALZ pattern! blog post it again time for some exciting news.
We are very thrilled to share that in September 2025 we were able to reach 2 important goals, both of them enhancing both the Azure platform and the ALZ pattern . In summary we've been working on the :
- Adoption of new Azure Service Health built-in policy (see the announcing blog post 🚨 Azure Service Health Built-In Policy (Preview) – Now Available!)
- Adoption of the new least privileged "Monitoring Policy Contributor" Azure role for the System Assigned Managed Identities created by AMBA-ALZ deployment
Adoption of Azure Service Health built-in policy
Adopting the new built-in policy, available as of release 2025-10-01, allowed us to address situations where customers only permit the use of built-in policies with a consequent increase of trust in the AMBA-ALZ pattern. We combined with the Service Health Product team to ensure feature parity between the Azure native policy and the previous custom version available in AMBA-ALZ.
The new built-in policy, called "Configure subscriptions to enable service health alert monitoring rule", has been added to the new "Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) for Service Health and Resource Health" initiative together with the previous Resource Health custom policy
Updating to the version that includes the built-in policy is a straightforward process. For new deployments, there's nothing to do since this is going to be the default behavior as of release 2025-10-01. Updating an existing deployment requires some pre-deployment tasks which are clearly documented at Adopt the new built-in Azure Service Health policy
Adoption of the new least privileged "Monitoring Policy Contributor" Azure role
As part of the ongoing security enhancements in AMBA-ALZ and following-up on some customer evidence about System Assigned Managed Identities created by AMBA being flagged as overprovisioned by Microsoft Defender for Cloud, we started a collaboration with the Azure RBAC team to create a new tailored and least privileged role. After some research, we were able to craft a new built-in role that is benefit not only for AMBA-ALZ but also for other bult-in policies (like the new Azure Service Health policy) or customer policies that aims at creating Azure Monitor alerts. This role is basically an enhancement of the existing Monitoring Contributor role with some additional permissions necessary to deploy the policies, run the remediations which includes Azure Monitor alerts and Resource Group creation.
This new role, which is designed to align with security standards, is now assigned by default to the managed identities in place of the previous Contributor role. Thanks to this effort we were able to significantly reduce the security risk surface by cutting down the number of unnecessary permissions from nearly 6,700 to just 6.
|
Before (with Contributor rights) |
| After (with Monitoring Policy Contributor) |
Adopting the least privileged role is super easy. For new deployments, there's nothing to do since this is going to be the default behavior as of release 2025-10-01. Updating an existing deployment requires some pre-deployment tasks which are clearly documented at Adopt the new Monitoring Policy Contributor least privileged role.
So, what to do next? Visit the Introduction to deploying the AMBA-ALZ Pattern page to read more about AMBA and to find the deployment methods (Azure Portal UI, Azure CLI, Azure PowerShell, Azure Pipelines, GitHub Actions, Terraform) the best aligns with your needs/preferences and start testing out these new features.
Microsoft