As described in the previous post, policies can be downloaded from the Enterprise Scale Architecture Repository and deployed into your own tenant. In addition to the mentioned policies, the repo also provides interesting Policy Initiatives (Policy Sets) that can also be used.

To deploy the Policy Set, we use the same steps as we used for the policies. That means we download the Policy Set (line 1), export a few properties for later use (lines 2-4), and then deploy the Policy Set to a subscription using the New-AzPolicySetDefinition command (with policies the command New-AzPolicyDefinition is used).

To assign the Policy Set, the New-AzPolicyAssignment (line 8) command is used, as with the policies. But this time the parameter -PolicySetDefinition is used to provide the Policy Set definition, that must previously be loaded with Get-AzPolicySetDefinition (line 6). If the default parameters of the Policy Set do not fit, they can be overwritten. In this example the parameter for appConfigPublicIpDenyEffect (default is Deny) will be overwritten with Audit (line 7). The parameters must be handed over with -PolicyParameter (line 8). If no parameters must be overwritten, this parameter can be skipped.

$set = Invoke-WebRequest https://raw.githubusercontent.com/Azure/terraform-azurerm-caf-enterprise-scale/main/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json
$jsonset = $set.Content | ConvertFrom-Json -Depth 20
$set_def = $jsonset.properties.policyDefinitions | ConvertTo-Json -Depth 20
$set_params = $jsonset.properties.parameters | ConvertTo-Json -Depth 20
New-AzPolicySetDefinition -Name $jsonset.Name -SubscriptionId <SUBSCRIPTION ID> -Metadata '{"Category":"Network"}' -DisplayName $jsonset.properties.displayName -Description $jsonset.properties.description -Parameter $set_params -PolicyDefinition $set_def
$plcySet = Get-AzPolicySetDefinition -Name $jsonset.Name
$overwrite_params = '{ "appConfigPublicIpDenyEffect": { "value": "Audit" } }'
New-AzPolicyAssignment -Name $jsonset.Name -PolicySetDefinition $plcySet -Scope "/subscriptions/<SUBSCRIOTION ID>/resourceGroups/rg-acr" -PolicyParameter $overwrite_params

Once the assignment has been made, the assigned Policy Set/Initiative can be seen in the portal. It is noticeable that the appConfigPublicIpenyEffect was successfully overwritten.

⚠️ But keep in mind, that you can only assign Initiatives whose referenced policies have already been deployed. If the policies of the Initiative are missing, they will not be downloaded automatically and must be deployed manually before being assigned.