From 949fefd48ca3ba001032101459c3290f4436e0fd Mon Sep 17 00:00:00 2001 From: Greg Slack Date: Thu, 6 Nov 2025 14:48:22 -0500 Subject: [PATCH 1/3] Adding new policy and fix to sample commands --- Scripts/Out-FormattedPolicyDefinition.ps1 | 6 +- .../azurepolicy.json | 198 ++++++++++++++++++ .../azurepolicy.parameters.json | 15 ++ .../azurepolicy.rules.json | 170 +++++++++++++++ 4 files changed, 386 insertions(+), 3 deletions(-) create mode 100644 policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json create mode 100644 policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.parameters.json create mode 100644 policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.rules.json diff --git a/Scripts/Out-FormattedPolicyDefinition.ps1 b/Scripts/Out-FormattedPolicyDefinition.ps1 index b74abf7e..e2353a6a 100644 --- a/Scripts/Out-FormattedPolicyDefinition.ps1 +++ b/Scripts/Out-FormattedPolicyDefinition.ps1 @@ -20,13 +20,13 @@ Output directory. Default is output. Category of the Policy definition. Default is empty indicating to preserve the existing category in metadata. .EXAMPLE -Out-FormattedPolicyDefinitionToOneFiles.ps1 -fileName azurepolicy.json -category "Custom" +Out-FormattedPolicyDefinition.ps1 -fileName azurepolicy.json -category "Custom" .EXAMPLE -Out-FormattedPolicyDefinitionToOneFiles.ps1 -fileName azurepolicy.json +Out-FormattedPolicyDefinition.ps1 -fileName azurepolicy.json .EXAMPLE -Out-FormattedPolicyDefinitionToOneFiles.ps1 -fileName azurepolicy.json -outputDirectory "output" +Out-FormattedPolicyDefinition.ps1 -fileName azurepolicy.json -outputDirectory "output" #> diff --git a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json new file mode 100644 index 00000000..0c32200f --- /dev/null +++ b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json @@ -0,0 +1,198 @@ +{ + "name": "8afa5ca1-7115-489a-8b1f-209602402816", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Activate Azure Benefits for Windows Arc Machines", + "description": "Activate Azure benefits for Windows ARC Machines\n\nFor 2025 server, if license type is paygo, then this will check paygo box in license menu. If 2025 and not paygo license or not 2025 server then check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers", + "metadata": { + "version": "1.0.0", + "category": "Compute" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HybridCompute/machines" + }, + { + "field": "Microsoft.HybridCompute/machines/osType", + "equals": "windows" + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.licenseStatus", + "equals": "Licensed" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.HybridCompute/machines", + "name": "[field('name')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.HybridCompute/machines/osSku", + "contains": "2025" + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.licenseChannel", + "contains": "PGS" + }, + { + "anyOf": [ + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.productProfile.subscriptionStatus", + "equals": "Enabled" + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.productProfile.productFeatures[*].subscriptionStatus", + "equals": "Enabled" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.HybridCompute/machines/osSku", + "contains": "2025" + }, + { + "not": { + "field": "Microsoft.HybridCompute/machines/licenseProfile.licenseChannel", + "contains": "PGS" + } + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.softwareAssurance.softwareAssuranceCustomer", + "equals": true + } + ] + }, + { + "allOf": [ + { + "not": { + "field": "Microsoft.HybridCompute/machines/osSku", + "contains": "2025" + } + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.softwareAssurance.softwareAssuranceCustomer", + "equals": true + } + ] + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "osSku": { + "type": "string" + }, + "licenseChannel": { + "type": "string" + }, + "status": { + "type": "string" + }, + "productType": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[and(equals(parameters('status'), 'Connected'), contains(parameters('licenseChannel'), 'PGS'))]", + "name": "[concat(parameters('vmName'), '/default')]", + "type": "Microsoft.HybridCompute/machines/licenseProfiles", + "location": "[parameters('location')]", + "apiVersion": "2025-01-13", + "properties": { + "productProfile": { + "productType": "[parameters('productType')]", + "subscriptionStatus": "Enabled" + } + } + }, + { + "condition": "[and(equals(parameters('status'), 'Connected'), not(contains(parameters('licenseChannel'), 'PGS')))]", + "name": "[concat(parameters('vmName'), '/default')]", + "type": "Microsoft.HybridCompute/machines/licenseProfiles", + "location": "[parameters('location')]", + "apiVersion": "2025-01-13", + "properties": { + "softwareAssurance": { + "softwareAssuranceCustomer": true + } + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Enabled Software Assurance for VM', ': ', parameters('vmName'))]" + } + } + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "osSku": { + "value": "[field('Microsoft.HybridCompute/machines/osSku')]" + }, + "licenseChannel": { + "value": "[field('Microsoft.HybridCompute/machines/licenseProfile.licenseChannel')]" + }, + "status": { + "value": "[field('Microsoft.HybridCompute/machines/status')]" + }, + "productType": { + "value": "[field('Microsoft.HybridCompute/machines/licenseProfile.productProfile.productType')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.parameters.json b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.parameters.json new file mode 100644 index 00000000..18130ac6 --- /dev/null +++ b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} diff --git a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.rules.json b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.rules.json new file mode 100644 index 00000000..1deca544 --- /dev/null +++ b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.rules.json @@ -0,0 +1,170 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HybridCompute/machines" + }, + { + "field": "Microsoft.HybridCompute/machines/osType", + "equals": "windows" + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.licenseStatus", + "equals": "Licensed" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.HybridCompute/machines", + "name": "[field('name')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.HybridCompute/machines/osSku", + "contains": "2025" + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.licenseChannel", + "contains": "PGS" + }, + { + "anyOf": [ + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.productProfile.subscriptionStatus", + "equals": "Enabled" + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.productProfile.productFeatures[*].subscriptionStatus", + "equals": "Enabled" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.HybridCompute/machines/osSku", + "contains": "2025" + }, + { + "not": { + "field": "Microsoft.HybridCompute/machines/licenseProfile.licenseChannel", + "contains": "PGS" + } + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.softwareAssurance.softwareAssuranceCustomer", + "equals": true + } + ] + }, + { + "allOf": [ + { + "not": { + "field": "Microsoft.HybridCompute/machines/osSku", + "contains": "2025" + } + }, + { + "field": "Microsoft.HybridCompute/machines/licenseProfile.softwareAssurance.softwareAssuranceCustomer", + "equals": true + } + ] + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "osSku": { + "type": "string" + }, + "licenseChannel": { + "type": "string" + }, + "status": { + "type": "string" + }, + "productType": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[and(equals(parameters('status'), 'Connected'), contains(parameters('licenseChannel'), 'PGS'))]", + "name": "[concat(parameters('vmName'), '/default')]", + "type": "Microsoft.HybridCompute/machines/licenseProfiles", + "location": "[parameters('location')]", + "apiVersion": "2025-01-13", + "properties": { + "productProfile": { + "productType": "[parameters('productType')]", + "subscriptionStatus": "Enabled" + } + } + }, + { + "condition": "[and(equals(parameters('status'), 'Connected'), not(contains(parameters('licenseChannel'), 'PGS')))]", + "name": "[concat(parameters('vmName'), '/default')]", + "type": "Microsoft.HybridCompute/machines/licenseProfiles", + "location": "[parameters('location')]", + "apiVersion": "2025-01-13", + "properties": { + "softwareAssurance": { + "softwareAssuranceCustomer": true + } + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Enabled Software Assurance for VM', ': ', parameters('vmName'))]" + } + } + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "osSku": { + "value": "[field('Microsoft.HybridCompute/machines/osSku')]" + }, + "licenseChannel": { + "value": "[field('Microsoft.HybridCompute/machines/licenseProfile.licenseChannel')]" + }, + "status": { + "value": "[field('Microsoft.HybridCompute/machines/status')]" + }, + "productType": { + "value": "[field('Microsoft.HybridCompute/machines/licenseProfile.productProfile.productType')]" + } + } + } + } + } + } +} From c6066ab58f0fd4cb81c392d7f869c636b4a7c1cc Mon Sep 17 00:00:00 2001 From: Jeff Pigott <86477713+wjpigott@users.noreply.github.com> Date: Thu, 6 Nov 2025 14:04:12 -0600 Subject: [PATCH 2/3] Correct description wording in azurepolicy.json Updated the description to use 'Pay-as-you-go' instead of 'paygo'. --- .../azurepolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json index 0c32200f..fab63dc4 100644 --- a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json +++ b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json @@ -3,7 +3,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "properties": { "displayName": "Activate Azure Benefits for Windows Arc Machines", - "description": "Activate Azure benefits for Windows ARC Machines\n\nFor 2025 server, if license type is paygo, then this will check paygo box in license menu. If 2025 and not paygo license or not 2025 server then check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers", + "description": "Activate Azure benefits for Windows ARC Machines\n\nFor 2025 server, if license type is Pay-as-you-go, then this will check Pay-as-you-go box in license menu. If 2025 and not Pay-as-you-go license or not 2025 server then check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers", "metadata": { "version": "1.0.0", "category": "Compute" From 155121e9914a1258b50a9cd0ee66201d244a1b46 Mon Sep 17 00:00:00 2001 From: gregslack78 <85254974+gregslack78@users.noreply.github.com> Date: Thu, 6 Nov 2025 15:04:21 -0500 Subject: [PATCH 3/3] Fix description for Azure benefits policy Updated the description to clarify license type terminology. --- .../azurepolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json index 0c32200f..cba14607 100644 --- a/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json +++ b/policyDefinitions/Compute/activate-azure-benefits-for-windows-arc-machines/azurepolicy.json @@ -3,7 +3,7 @@ "type": "Microsoft.Authorization/policyDefinitions", "properties": { "displayName": "Activate Azure Benefits for Windows Arc Machines", - "description": "Activate Azure benefits for Windows ARC Machines\n\nFor 2025 server, if license type is paygo, then this will check paygo box in license menu. If 2025 and not paygo license or not 2025 server then check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers", + "description": "Activate Azure benefits for Windows ARC Machines\n\nFor 2025 server, if license type is pay-as-you-go, then this will check ""ay-as-you-go with Azure" box in license menu. If 2025 and not pay-as-you-go license or not 2025 server then this will check Software Assurance box. This policy only checks Windows Server resources and will NOT check unlicensed servers", "metadata": { "version": "1.0.0", "category": "Compute"