v1.48.0-B0228

What's changed since pre-release v1.48.0-B0088:

• General improvements:
  • Updated provider data by @BernieWhite.
    #3790
  • Added support for Bicep resourceType parameter metadata by @polatengin.
    #1474
  • Added support for the Bicep roleDefinitions function by @polatengin.
    #3776
  • Added support for Bicep decorator value constraints by @polatengin.
    #3649
  • Added validation for Bicep custom type constraints by @polatengin.
    #1922

See the change log for details.

v1.48.0-B0088

What's changed since v1.47.0:

• New features:
  • Experimental: Added Terraform plan expansion support for AzAPI provider resources by @polatengin.
    #1193
    • Expands azapi_resource and azapi_update_resource from Terraform plan JSON files into ARM format for rule evaluation.
    • Enable with configuration option AZURE_TERRAFORM_PLAN_EXPANSION.
  • Added March 2026 baselines Azure.GA_2026_03, Azure.Preview_2026_03, and Azure.CAF_2026_03 by @BernieWhite.
    #3709
    • Includes rules released before or during March 2026.
    • Marked Azure.GA_2025_12 and Azure.Preview_2025_12 baselines as obsolete.
• New rules:
  • Automation Account:
    • Added Azure.Automation.RunbookPinned to check runbook external scripts use pinned commit hash by @BernieWhite.
      #3324
  • Azure Container Registry:
    • Check that audit diagnostic logs are enabled for Container Registry by @BernieWhite.
      #3445
  • Azure Fleet:
    • Check for public key usage on Linux fleet VM profiles by @BernieWhite.
  • Container Apps:
    • Check that liveness and readiness health probes use HTTP checks for HTTP-based ingress by @BernieWhite.
      #3111
  • Deployment Script:
    • Added Azure.DeploymentScript.Pinned to check deployment script external script to use pinned commit hash by @BernieWhite.
      #3324
  • Service Bus:
    • Added Azure.ServiceBus.ReplicaLocation to check that geo-replication replica locations are within allowed regions by @BernieWhite.
      #3381
  • Virtual Machine:
    • Check that virtual machines have Secure Boot enabled by @coder999999999.
      #3728
  • Virtual Machine Scale Sets:
    • Check that virtual machine scale sets have Secure Boot enabled by @coder999999999.
      #3730
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.33.7 as the minimum version by @BernieWhite.
      #3708
  • Virtual Machine:
    • Updated Azure.VM.DiskCaching to check for ReadWrite caching on OS disks instead only by @BernieWhite.
      #3673
      • Renamed the rule from Azure.VM.DiskCaching to Azure.VM.OSDiskCache to reflect updated scope.
      • Updates to provide more complete documentation.
• Engineering
  • Improved documentation for expansion internals with a high-level flow diagram and code references by @BernieWhite.
    #3715
  • Bump Azure.Identity to 1.21.0.
    #3751
  • Bump Azure.Core to 1.54.0
    #3778
  • Bump Azure.Identity.Broker to 1.5.0.
    #3744
  • Bump Microsoft.Extensions.Hosting to 10.0.7.
    #3769
  • Bump Microsoft.Extensions.Logging.Console to 10.0.7.
    #3777
• Bug fixes:
  • Improved Bicep expansion errors to surface captured CLI restore failures during timeout windows by @polatengin.
    #2896

See the change log for details.

v1.47.0

What's changed since v1.46.0:

• New features:
  • Added December 2025 baselines Azure.GA_2025_12, Azure.Preview_2025_12, and Azure.CAF_2025_12 by @BernieWhite.
    #3642
    • Includes rules released before or during December 2025.
    • Marked Azure.GA_2025_09 and Azure.Preview_2025_09 baselines as obsolete.
• New rules:
  • Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources.
    #3548
  • App Configuration:
    • Check that replica locations are in allowed regions by @BernieWhite.
      #3441
  • Azure Cache for Redis:
    • Check for legacy Azure Cache for Redis instances by @BenjaminEngeset.
      #3605
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_REDIS_CACHE_NAME_FORMAT
        • AZURE_REDIS_ENTERPRISE_NAME_FORMAT
    • Added configured name format by @BernieWhite.
  • Azure Cache for Redis Enterprise and Enterprise Flash:
    • Check for deprecated Redis Enterprise and Enterprise Flash SKUs by @BenjaminEngeset.
      #3606
  • Azure Database for MySQL:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_MYSQL_SERVER_NAME_FORMAT
  • Azure Database for PostgreSQL:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_POSTGRESQL_SERVER_NAME_FORMAT
  • Azure Kubernetes Service:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_AKS_CLUSTER_NAME_FORMAT
        • AZURE_AKS_SYSTEM_POOL_NAME_FORMAT
        • AZURE_AKS_USER_POOL_NAME_FORMAT
  • Container Apps:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_CONTAINER_APP_NAME_FORMAT
        • AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT
        • AZURE_CONTAINER_APP_JOB_NAME_FORMAT
  • Container Instance:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_CONTAINER_INSTANCE_NAME_FORMAT
  • Container Registry:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_CONTAINER_REGISTRY_NAME_FORMAT
  • Cosmos DB:
    • Check that Cosmos DB accounts have availability zones enabled by @BenjaminEngeset.
      #3055
    • Check that MongoDB vCore clusters use Microsoft Entra ID authentication by @BenjaminEngeset.
      #3369
    • Check that MongoDB vCore clusters have availability zones enabled by @BenjaminEngeset.
      #3586
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_COSMOS_CASSANDRA_NAME_FORMAT
        • AZURE_COSMOS_DATABASE_NAME_FORMAT
        • AZURE_COSMOS_GREMLIN_NAME_FORMAT
        • AZURE_COSMOS_MONGO_NAME_FORMAT
        • AZURE_COSMOS_NOSQL_NAME_FORMAT
        • AZURE_COSMOS_POSTGRESQL_NAME_FORMAT
        • AZURE_COSMOS_TABLE_NAME_FORMAT
  • Data Explorer:
    • Check that public network access is disabled by @BenjaminEngeset.
      #3114
  • Event Hub:
    • Check that zone redundancy is enabled for Event Hub namespaces in supported regions by @BenjaminEngeset.
      #3029
  • Managed Instance for Apache Cassandra:
    • Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset.
      #3592
  • Managed Grafana:
    • Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset.
      #3294
  • Service Fabric:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT
        • AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT
  • SQL Database:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SQL_DATABASE_NAME_FORMAT
        • AZURE_SQL_SERVER_NAME_FORMAT
        • AZURE_SQL_ELASTIC_POOL_NAME_FORMAT
        • AZURE_SQL_JOB_AGENT_NAME_FORMAT
  • SQL Managed Instance:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SQL_MI_NAME_FORMAT
• Updated rules:
  • Application Gateway Policy:
    • Updated Azure.AppGwWAF.RuleGroups to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset.
      #3553
  • Cosmos DB:
    • Renamed Azure.Cosmos.DisableLocalAuth to Azure.Cosmos.NoSQLLocalAuth to reflect it applies only to NoSQL API by @BernieWhite.
      #3576
• Engineering:
  • Bump Microsoft.Extensions.Logging.Console from 8.0.0 to 10.0.1
    #3627
  • Bump Microsoft.Extensions.Hosting from 9.0.10 to 10.0.1
    #3626

What's changed since pre-release v1.47.0-B0060:

• No additional changes.

See the release and change log for details.

v1.47.0-B0060

What's changed since v1.46.0:

• New features:
  • Added December 2025 baselines Azure.GA_2025_12, Azure.Preview_2025_12, and Azure.CAF_2025_12 by @BernieWhite.
    #3642
    • Includes rules released before or during December 2025.
    • Marked Azure.GA_2025_09 and Azure.Preview_2025_09 baselines as obsolete.
• New rules:
  • Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources.
    #3548
  • App Configuration:
    • Check that replica locations are in allowed regions by @BernieWhite.
      #3441
  • Azure Cache for Redis:
    • Check for legacy Azure Cache for Redis instances by @BenjaminEngeset.
      #3605
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_REDIS_CACHE_NAME_FORMAT
        • AZURE_REDIS_ENTERPRISE_NAME_FORMAT
    • Added configured name format by @BernieWhite.
  • Azure Cache for Redis Enterprise and Enterprise Flash:
    • Check for deprecated Redis Enterprise and Enterprise Flash SKUs by @BenjaminEngeset.
      #3606
  • Azure Database for MySQL:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_MYSQL_SERVER_NAME_FORMAT
  • Azure Database for PostgreSQL:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_POSTGRESQL_SERVER_NAME_FORMAT
  • Azure Kubernetes Service:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_AKS_CLUSTER_NAME_FORMAT
        • AZURE_AKS_SYSTEM_POOL_NAME_FORMAT
        • AZURE_AKS_USER_POOL_NAME_FORMAT
  • Container Apps:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_CONTAINER_APP_NAME_FORMAT
        • AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT
        • AZURE_CONTAINER_APP_JOB_NAME_FORMAT
  • Container Instance:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_CONTAINER_INSTANCE_NAME_FORMAT
  • Container Registry:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_CONTAINER_REGISTRY_NAME_FORMAT
  • Cosmos DB:
    • Check that Cosmos DB accounts have availability zones enabled by @BenjaminEngeset.
      #3055
    • Check that MongoDB vCore clusters use Microsoft Entra ID authentication by @BenjaminEngeset.
      #3369
    • Check that MongoDB vCore clusters have availability zones enabled by @BenjaminEngeset.
      #3586
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration options:
        • AZURE_COSMOS_CASSANDRA_NAME_FORMAT
        • AZURE_COSMOS_DATABASE_NAME_FORMAT
        • AZURE_COSMOS_GREMLIN_NAME_FORMAT
        • AZURE_COSMOS_MONGO_NAME_FORMAT
        • AZURE_COSMOS_NOSQL_NAME_FORMAT
        • AZURE_COSMOS_POSTGRESQL_NAME_FORMAT
        • AZURE_COSMOS_TABLE_NAME_FORMAT
  • Data Explorer:
    • Check that public network access is disabled by @BenjaminEngeset.
      #3114
  • Event Hub:
    • Check that zone redundancy is enabled for Event Hub namespaces in supported regions by @BenjaminEngeset.
      #3029
  • Managed Instance for Apache Cassandra:
    • Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset.
      #3592
  • Managed Grafana:
    • Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset.
      #3294
  • Service Fabric:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT
        • AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT
  • SQL Database:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SQL_DATABASE_NAME_FORMAT
        • AZURE_SQL_SERVER_NAME_FORMAT
        • AZURE_SQL_ELASTIC_POOL_NAME_FORMAT
        • AZURE_SQL_JOB_AGENT_NAME_FORMAT
  • SQL Managed Instance:
    • Check resources naming matches configured name format by @BernieWhite.
      #3548
      • The name format can be configured by the following configuration option:
        • AZURE_SQL_MI_NAME_FORMAT
• Updated rules:
  • Application Gateway Policy:
    • Updated Azure.AppGwWAF.RuleGroups to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset.
      #3553
  • Cosmos DB:
    • Renamed Azure.Cosmos.DisableLocalAuth to Azure.Cosmos.NoSQLLocalAuth to reflect it applies only to NoSQL API by @BernieWhite.
      #3576
• Engineering:
  • Bump Microsoft.Extensions.Logging.Console from 8.0.0 to 10.0.1
    #3627
  • Bump Microsoft.Extensions.Hosting from 9.0.10 to 10.0.1
    #3626

See the change log for details.

v1.46.0

What's changed since v1.45.2:

• New features:
  • Experimental: Added Well-Architected Framework - Security pillar Level 1 maturity baseline by @BernieWhite.
    #3107
    #3517
    • The Azure.Pillar.Security.L1 baseline provides an initial set of rules aligned to the first level of maturity.
    • This is an experimental baseline and may change in future releases.
  • Added CSV download of rule list associated with each baseline by @BernieWhite.
    #3511
  • Added September 2025 baselines Azure.GA_2025_09 and Azure.Preview_2025_09 by @BernieWhite.
    #3539
    • Includes rules released before or during September 2025.
    • Marked Azure.GA_2025_06 and Azure.Preview_2025_06 baselines as obsolete.
• New rules:
  • Azure Cache for Redis:
    • Check that Entra ID is required for all authentication of cache instances by @BernieWhite.
      #3113
  • Container Registry:
    • Check replica locations are within allowed regions by @BernieWhite
      #3442
    • Check that export policy is disabled for registries by @BernieWhite
      #3444
  • Storage Account:
    • Check that local authentication is disabled for storage accounts by @BernieWhite.
      #3115
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.7 as the minimum version by @BernieWhite.
      #3541
  • Container Registry:
    • Updated Azure.ACR.GeoReplica to ensure geo-replication applies to pre-flight and in-flight cases by @BernieWhite.
      #3477
• General improvements:
  • Updated provider data by @BernieWhite.
    #3538
• Bug fixes:
  • Fixed false negative for App Service web configuration cases set with siteConfig by @BernieWhite.
    #3521

What's changed since pre-release v1.46.0-B0050:

• No additional changes.

See the release and change log for details.

v1.46.0-B0050

What's changed since v1.45.2:

• New features:
  • Experimental: Added Well-Architected Framework - Security pillar Level 1 maturity baseline by @BernieWhite.
    #3107
    #3517
    • The Azure.Pillar.Security.L1 baseline provides an initial set of rules aligned to the first level of maturity.
    • This is an experimental baseline and may change in future releases.
  • Added CSV download of rule list associated with each baseline by @BernieWhite.
    #3511
  • Added September 2025 baselines Azure.GA_2025_09 and Azure.Preview_2025_09 by @BernieWhite.
    #3539
    • Includes rules released before or during September 2025.
    • Marked Azure.GA_2025_06 and Azure.Preview_2025_06 baselines as obsolete.
• New rules:
  • Azure Cache for Redis:
    • Check that Entra ID is required for all authentication of cache instances by @BernieWhite.
      #3113
  • Container Registry:
    • Check replica locations are within allowed regions by @BernieWhite
      #3442
    • Check that export policy is disabled for registries by @BernieWhite
      #3444
  • Storage Account:
    • Check that local authentication is disabled for storage accounts by @BernieWhite.
      #3115
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.7 as the minimum version by @BernieWhite.
      #3541
  • Container Registry:
    • Updated Azure.ACR.GeoReplica to ensure geo-replication applies to pre-flight and in-flight cases by @BernieWhite.
      #3477
• General improvements:
  • Updated provider data by @BernieWhite.
    #3538
• Bug fixes:
  • Fixed false negative for App Service web configuration cases set with siteConfig by @BernieWhite.
    #3521

See the change log for details.

v1.45.2

What's changed since v1.45.1:

• Bug fixes:
  • Fixed inconsistent handling of subnets with Azure.VNET.SubnetNaming and Azure.VNET.UseNSGs by @BernieWhite
    #3497

See the release and change log for details.

v1.45.1

What's changed since v1.45.0:

• Bug fixes:
  • Fixed imported user defined function is unable to access local variable by @BernieWhite.
    #3483

See the release and change log for details.

v1.45.0

What's changed since v1.44.2:

• New features:
  • Added June 2025 baselines Azure.GA_2025_06 and Azure.Preview_2025_06 by @BernieWhite.
    #3465
    • Includes rules released before or during June 2025.
    • Marked Azure.GA_2025_03 and Azure.Preview_2025_03 baselines as obsolete.
  • Added June 2025 CAF baseline Azure.CAF_2025_06 for recent naming changes by @BernieWhite.
    #3464
• New rules:
  • App Configuration:
    • Check that App Configuration Key Values do not contain known secrets by @BernieWhite.
      #3439
  • Event Grid:
    • Check namespaces use a minimum of TLS 1.2 by @BernieWhite.
      #3354
  • Monitor Alerts:
    • Check that metric alerts are configured to automatically mitigate by @BernieWhite.
      #3457
    • Check that scheduled query alerts are configured for lower frequency by @BernieWhite.
      #3458
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.5 as the minimum version by @BernieWhite.
      #3463
  • Container Registry:
    • Deprecated Azure.ACR.ContentTrust rule by @BernieWhite.
      #3443
      • The Docker content trust feature will retire in March 2028.
      • Content trust is replaced by OCI artifact signing, which is supported by Azure Container Registry.
  • Virtual Network Gateway:
    • Updated documentation and promoted Azure.VNG.MaintenanceConfig to GA by @BernieWhite.
      #3379
      • Bumped rule set to 2025_06.
• General improvements:
  • Native support for exporting policy as rules by @BernieWhite.
    #2971
    #2970
    • This removes the dependency on the Az.Resources module for policy exports.
  • Optimize generation of nested allOf/ anyOf condition in policy as rules by @BernieWhite.
    #1965
• Bug fixes:
  • Fixed wrong verbose log when running Export-AzPolicyAssignmentData by @BernieWhite.
    #1877
  • Fixed parent is missing on mocked token when expanding PE AVM module by @BernieWhite.
    #3446
  • Fixed Azure.AppGw.MinInstance should allow 0 minimum capacity for v2 with autoscale by @BernieWhite @mbender-ms.
    #3452
  • Fixed secure outputs objects may not be fully mocked by @BernieWhite.
    #3434
  • Fixed incorrect inversion of policy as rules conditions by @BernieWhite.
    #3419
  • Fixed string boolean values not converted during evaluation of policy as rules by @BernieWhite.
    #3426

What's changed since pre-release v1.45.0-B0143:

• No additional changes.

See the release and change log for details.

v1.45.0-B0143

What's changed since pre-release v1.45.0-B0104:

• New features:
  • Added June 2025 baselines Azure.GA_2025_06 and Azure.Preview_2025_06 by @BernieWhite.
    #3465
    • Includes rules released before or during June 2025.
    • Marked Azure.GA_2025_03 and Azure.Preview_2025_03 baselines as obsolete.
  • Added June 2025 CAF baseline Azure.CAF_2025_06 for recent naming changes by @BernieWhite.
    #3464
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.Version to use 1.32.5 as the minimum version by @BernieWhite.
      #3463

See the change log for details.