v1.47.0-B0060

What's changed since v1.46.0:

• New features:
  • Added December 2025 baselines Azure.GA_2025_12, Azure.Preview_2025_12, and Azure.CAF_2025_12 by @BernieWhite.
    #3642
    • Includes rules released before or during December 2025.
    • Marked Azure.GA_2025_09 and Azure.Preview_2025_09 baselines as obsolete.
• New rules:
  • Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources.
    #3548
  • App Configuration:
    • Check that replica locations are in allowed regions by @BernieWhite.
      #3441
  • Azure Cache for Redis:
    • Check for legacy Azure Cache for Redis instances by @BenjaminEngeset.
      #3605
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_REDIS_CACHE_NAME_FORMAT
        • AZURE_REDIS_ENTERPRISE_NAME_FORMAT
    • Added configured name format by @BernieWhite.
  • Azure Cache for Redis Enterprise and Enterprise Flash:
    • Check for deprecated Redis Enterprise and Enterprise Flash SKUs by @BenjaminEngeset.
      #3606
  • Azure Database for MySQL:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_MYSQL_SERVER_NAME_FORMAT
  • Azure Database for PostgreSQL:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_POSTGRESQL_SERVER_NAME_FORMAT
  • Azure Kubernetes Service:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_AKS_CLUSTER_NAME_FORMAT
        • AZURE_AKS_SYSTEM_POOL_NAME_FORMAT
        • AZURE_AKS_USER_POOL_NAME_FORMAT
  • Container Apps:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_CONTAINER_APP_NAME_FORMAT
        • AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT
        • AZURE_CONTAINER_APP_JOB_NAME_FORMAT
  • Container Instance:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_CONTAINER_INSTANCE_NAME_FORMAT
  • Container Registry:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_CONTAINER_REGISTRY_NAME_FORMAT
  • Cosmos DB:
    • Check that Cosmos DB accounts have availability zones enabled by @BenjaminEngeset.
      #3055
    • Check that MongoDB vCore clusters use Microsoft Entra ID authentication by @BenjaminEngeset.
      #3369
    • Check that MongoDB vCore clusters have availability zones enabled by @BenjaminEngeset.
      #3586
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_COSMOS_CASSANDRA_NAME_FORMAT
        • AZURE_COSMOS_DATABASE_NAME_FORMAT
        • AZURE_COSMOS_GREMLIN_NAME_FORMAT
        • AZURE_COSMOS_MONGO_NAME_FORMAT
        • AZURE_COSMOS_NOSQL_NAME_FORMAT
        • AZURE_COSMOS_POSTGRESQL_NAME_FORMAT
        • AZURE_COSMOS_TABLE_NAME_FORMAT
  • Data Explorer:
    • Check that public network access is disabled by @BenjaminEngeset.
      #3114
  • Event Hub:
    • Check that zone redundancy is enabled for Event Hub namespaces in supported regions by @BenjaminEngeset.
      #3029
  • Managed Instance for Apache Cassandra:
    • Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset.
      #3592
  • Managed Grafana:
    • Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset.
      #3294
  • Service Fabric:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT
        • AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT
  • SQL Database:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SQL_DATABASE_NAME_FORMAT
        • AZURE_SQL_SERVER_NAME_FORMAT
        • AZURE_SQL_ELASTIC_POOL_NAME_FORMAT
        • AZURE_SQL_JOB_AGENT_NAME_FORMAT
  • SQL Managed Instance:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SQL_MI_NAME_FORMAT
• Updated rules:
  • Application Gateway Policy:
    • Updated Azure.AppGwWAF.RuleGroups to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset.
      #3553
  • Cosmos DB:
    • Renamed Azure.Cosmos.DisableLocalAuth to Azure.Cosmos.NoSQLLocalAuth to reflect it applies only to NoSQL API by @BernieWhite.
      #3576
• Engineering:
  • Bump Microsoft.Extensions.Logging.Console from 8.0.0 to 10.0.1
    #3627
  • Bump Microsoft.Extensions.Hosting from 9.0.10 to 10.0.1
    #3626

See the change log for details.

v1.46.0

What's changed since v1.45.2:

• New features:
  • Experimental: Added Well-Architected Framework - Security pillar Level 1 maturity baseline by @BernieWhite.
    #3107
    #3517
    • The Azure.Pillar.Security.L1 baseline provides an initial set of rules aligned to the first level of maturity.
    • This is an experimental baseline and may change in future releases.
  • Added CSV download of rule list associated with each baseline by @BernieWhite.
    #3511
  • Added September 2025 baselines Azure.GA_2025_09 and Azure.Preview_2025_09 by @BernieWhite.
    #3539
    • Includes rules released before or during September 2025.
    • Marked Azure.GA_2025_06 and Azure.Preview_2025_06 baselines as obsolete.
• New rules:
  • Azure Cache for Redis:
    • Check that Entra ID is required for all authentication of cache instances by @BernieWhite.
      #3113
  • Container Registry:
    • Check replica locations are within allowed regions by @BernieWhite
      #3442
    • Check that export policy is disabled for registries by @BernieWhite
      #3444
  • Storage Account:
    • Check that local authentication is disabled for storage accounts by @BernieWhite.
      #3115
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.7 as the minimum version by @BernieWhite.
      #3541
  • Container Registry:
    • Updated Azure.ACR.GeoReplica to ensure geo-replication applies to pre-flight and in-flight cases by @BernieWhite.
      #3477
• General improvements:
  • Updated provider data by @BernieWhite.
    #3538
• Bug fixes:
  • Fixed false negative for App Service web configuration cases set with siteConfig by @BernieWhite.
    #3521

What's changed since pre-release v1.46.0-B0050:

• No additional changes.

See the release and change log for details.

v1.46.0-B0050

What's changed since v1.45.2:

• New features:
  • Experimental: Added Well-Architected Framework - Security pillar Level 1 maturity baseline by @BernieWhite.
    #3107
    #3517
    • The Azure.Pillar.Security.L1 baseline provides an initial set of rules aligned to the first level of maturity.
    • This is an experimental baseline and may change in future releases.
  • Added CSV download of rule list associated with each baseline by @BernieWhite.
    #3511
  • Added September 2025 baselines Azure.GA_2025_09 and Azure.Preview_2025_09 by @BernieWhite.
    #3539
    • Includes rules released before or during September 2025.
    • Marked Azure.GA_2025_06 and Azure.Preview_2025_06 baselines as obsolete.
• New rules:
  • Azure Cache for Redis:
    • Check that Entra ID is required for all authentication of cache instances by @BernieWhite.
      #3113
  • Container Registry:
    • Check replica locations are within allowed regions by @BernieWhite
      #3442
    • Check that export policy is disabled for registries by @BernieWhite
      #3444
  • Storage Account:
    • Check that local authentication is disabled for storage accounts by @BernieWhite.
      #3115
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.7 as the minimum version by @BernieWhite.
      #3541
  • Container Registry:
    • Updated Azure.ACR.GeoReplica to ensure geo-replication applies to pre-flight and in-flight cases by @BernieWhite.
      #3477
• General improvements:
  • Updated provider data by @BernieWhite.
    #3538
• Bug fixes:
  • Fixed false negative for App Service web configuration cases set with siteConfig by @BernieWhite.
    #3521

See the change log for details.

v1.45.2

What's changed since v1.45.1:

• Bug fixes:
  • Fixed inconsistent handling of subnets with Azure.VNET.SubnetNaming and Azure.VNET.UseNSGs by @BernieWhite
    #3497

See the release and change log for details.

v1.45.1

What's changed since v1.45.0:

• Bug fixes:
  • Fixed imported user defined function is unable to access local variable by @BernieWhite.
    #3483

See the release and change log for details.

v1.45.0

What's changed since v1.44.2:

• New features:
  • Added June 2025 baselines Azure.GA_2025_06 and Azure.Preview_2025_06 by @BernieWhite.
    #3465
    • Includes rules released before or during June 2025.
    • Marked Azure.GA_2025_03 and Azure.Preview_2025_03 baselines as obsolete.
  • Added June 2025 CAF baseline Azure.CAF_2025_06 for recent naming changes by @BernieWhite.
    #3464
• New rules:
  • App Configuration:
    • Check that App Configuration Key Values do not contain known secrets by @BernieWhite.
      #3439
  • Event Grid:
    • Check namespaces use a minimum of TLS 1.2 by @BernieWhite.
      #3354
  • Monitor Alerts:
    • Check that metric alerts are configured to automatically mitigate by @BernieWhite.
      #3457
    • Check that scheduled query alerts are configured for lower frequency by @BernieWhite.
      #3458
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.5 as the minimum version by @BernieWhite.
      #3463
  • Container Registry:
    • Deprecated Azure.ACR.ContentTrust rule by @BernieWhite.
      #3443
      • The Docker content trust feature will retire in March 2028.
      • Content trust is replaced by OCI artifact signing, which is supported by Azure Container Registry.
  • Virtual Network Gateway:
    • Updated documentation and promoted Azure.VNG.MaintenanceConfig to GA by @BernieWhite.
      #3379
      • Bumped rule set to 2025_06.
• General improvements:
  • Native support for exporting policy as rules by @BernieWhite.
    #2971
    #2970
    • This removes the dependency on the Az.Resources module for policy exports.
  • Optimize generation of nested allOf/ anyOf condition in policy as rules by @BernieWhite.
    #1965
• Bug fixes:
  • Fixed wrong verbose log when running Export-AzPolicyAssignmentData by @BernieWhite.
    #1877
  • Fixed parent is missing on mocked token when expanding PE AVM module by @BernieWhite.
    #3446
  • Fixed Azure.AppGw.MinInstance should allow 0 minimum capacity for v2 with autoscale by @BernieWhite @mbender-ms.
    #3452
  • Fixed secure outputs objects may not be fully mocked by @BernieWhite.
    #3434
  • Fixed incorrect inversion of policy as rules conditions by @BernieWhite.
    #3419
  • Fixed string boolean values not converted during evaluation of policy as rules by @BernieWhite.
    #3426

What's changed since pre-release v1.45.0-B0143:

• No additional changes.

See the release and change log for details.

v1.45.0-B0143

What's changed since pre-release v1.45.0-B0104:

• New features:
  • Added June 2025 baselines Azure.GA_2025_06 and Azure.Preview_2025_06 by @BernieWhite.
    #3465
    • Includes rules released before or during June 2025.
    • Marked Azure.GA_2025_03 and Azure.Preview_2025_03 baselines as obsolete.
  • Added June 2025 CAF baseline Azure.CAF_2025_06 for recent naming changes by @BernieWhite.
    #3464
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.5 as the minimum version by @BernieWhite.
      #3463

See the change log for details.

v1.45.0-B0104

What's changed since pre-release v1.45.0-B0068:

• New rules:
  • Event Grid:
    • Check namespaces use a minimum of TLS 1.2 by @BernieWhite.
      #3354
  • Monitor Alerts:
    • Check that metric alerts are configured to automatically mitigate by @BernieWhite.
      #3457
    • Check that scheduled query alerts are configured for lower frequency by @BernieWhite.
      #3458
• General improvements:
  • Native support for exporting policy as rules by @BernieWhite.
    #2971
    #2970
    • This removes the dependency on the Az.Resources module for policy exports.
• Bug fixes:
  • Fixed wrong verbose log when running Export-AzPolicyAssignmentData by @BernieWhite.
    #1877

See the change log for details.

v1.45.0-B0068

What's changed since pre-release v1.45.0-B0037:

• New rules:
  • App Configuration:
    • Check that App Configuration Key Values do not contain known secrets by @BernieWhite.
      #3439
• Updated rules:
  • Container Registry:
    • Deprecated Azure.ACR.ContentTrust rule by @BernieWhite.
      #3443
      • The Docker content trust feature will retire in March 2028.
      • Content trust is replaced by OCI artifact signing, which is supported by Azure Container Registry.
  • Virtual Network Gateway:
    • Updated documentation and promoted Azure.VNG.MaintenanceConfig to GA by @BernieWhite.
      #3379
      • Bumped rule set to 2025_06.
• Bug fixes:
  • Fixed parent is missing on mocked token when expanding PE AVM module by @BernieWhite.
    #3446
  • Fixed Azure.AppGw.MinInstance should allow 0 minimum capacity for v2 with autoscale by @BernieWhite @mbender-ms.
    #3452

See the change log for details.

v1.45.0-B0037

What's changed since pre-release v1.45.0-B0017:

• Bug fixes:
  • Fixed secure outputs objects may not be fully mocked by @BernieWhite.
    #3434

See the change log for details.