Azure · taoyangcloud · May 21, 2026 · May 20, 2026 · May 21, 2026 · May 21, 2026
diff --git a/policyAssignments/dev/pa-d-pedns.json b/policyAssignments/dev/pa-d-pedns.json
@@ -61,6 +61,9 @@
       "PEDNS-017_Effect": {
         "value": "DeployIfNotExists"
       },
+      "PEDNS-018_Effect": {
+        "value": "DeployIfNotExists"
+      },
       "evaluationDelay": {
         "value": "AfterProvisioning"
       },
@@ -139,6 +142,10 @@
       {
         "policyDefinitionReferenceId": "PEDNS-017",
         "message": "PolicyID: PEDNS-017 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cosmos DB SQL Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-018",
+        "message": "PolicyID: PEDNS-018 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Search Services Private Endpoint must be configured'"
       }
     ]
   },

diff --git a/policyAssignments/dev/pa-d-search.json b/policyAssignments/dev/pa-d-search.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "../policyAssignment.schema.json",
+  "policyAssignment": {
+    "name": "pa-d-search",
+    "displayName": "Azure Search Services Policies Dev",
+    "description": "Policy Assignment for Azure Search Services - Dev",
+    "metadata": {
+      "category": "Azure Search Services"
+    },
+    "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-search",
+    "identity": "SystemAssigned",
+    "parameters": {
+      "SRCH-001_Effect": {
+        "value": "Deny"
+      },
+      "SRCH-002_Effect": {
+        "value": "Modify"
+      },
+      "SRCH-003_Effect": {
+        "value": "Deny"
+      }
+
+    },
+    "nonComplianceMessages": [
+    ],
+    "roleDefinitionIds": [
+      "/providers/microsoft.authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0"
+    ]
+  },
+  "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV",
+  "managementGroupId": "CONTOSO-DEV"
+}
diff --git a/policyAssignments/prod/pa-p-pedns.json b/policyAssignments/prod/pa-p-pedns.json
@@ -61,6 +61,9 @@
       "PEDNS-017_Effect": {
         "value": "DeployIfNotExists"
       },
+      "PEDNS-018_Effect": {
+        "value": "DeployIfNotExists"
+      },
       "evaluationDelay": {
         "value": "AfterProvisioning"
       },
@@ -139,6 +142,10 @@
       {
         "policyDefinitionReferenceId": "PEDNS-017",
         "message": "PolicyID: PEDNS-017 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cosmos DB SQL Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-018",
+        "message": "PolicyID: PEDNS-018 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Search Services Private Endpoint must be configured'"
       }
     ]
   },

diff --git a/policyAssignments/prod/pa-p-search.json b/policyAssignments/prod/pa-p-search.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "../policyAssignment.schema.json",
+  "policyAssignment": {
+    "name": "pa-p-search",
+    "displayName": "Azure Search Services Policies Prod",
+    "description": "Policy Assignment for Azure Search Services - Prod",
+    "metadata": {
+      "category": "Azure Search Services"
+    },
+    "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-search",
+    "identity": "SystemAssigned",
+    "parameters": {
+      "SRCH-001_Effect": {
+        "value": "Deny"
+      },
+      "SRCH-002_Effect": {
+        "value": "Modify"
+      },
+      "SRCH-003_Effect": {
+        "value": "Deny"
+      }
+
+    },
+    "nonComplianceMessages": [
+    ],
+    "roleDefinitionIds": [
+      "/providers/microsoft.authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0"
+    ]
+  },
+  "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO",
+  "managementGroupId": "CONTOSO"
+}
diff --git a/policyInitiatives/polset-pedns.json b/policyInitiatives/polset-pedns.json
@@ -214,6 +214,18 @@
         ],
         "defaultValue": "DeployIfNotExists"
       },
+      "PEDNS-018_Effect": {
+        "type": "string",
+        "metadata": {
+          "displayName": "PEDNS-018 Effect: Azure AI Search",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "defaultValue": "DeployIfNotExists"
+      },
       "evaluationDelay": {
         "type": "string",
         "metadata": {
@@ -659,6 +671,30 @@
         "groupNames": [
           "ISO27001-2013_A.13.1.3"
         ]
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-018",
+        "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-pe-dns-records-single-dns-zone-all-locations",
+        "parameters": {
+          "Effect": {
+            "value": "[parameters('PEDNS-018_Effect')]"
+          },
+          "evaluationDelay": {
+            "value": "[parameters('evaluationDelay')]"
+          },
+          "groupId": {
+            "value": "searchService"
+          },
+          "privateDnsZoneId": {
+            "value": "[concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.search.windows.net')]"
+          },
+          "privateLinkServiceResourceType": {
+            "value": "Microsoft.Search/searchServices"
+          }
+        },
+        "groupNames": [
+          "ISO27001-2013_A.13.1.3"
+        ]
       }
     ]
   }

diff --git a/policyInitiatives/polset-search.json b/policyInitiatives/polset-search.json
@@ -0,0 +1,108 @@
+{
+  "name": "polset-search",
+  "properties": {
+    "displayName": "Azure Search Services Policy Initiative",
+    "description": "This policy initiative defines the foundation security requirements for Azure Search Services",
+    "metadata": {
+      "category": "Search",
+      "version": "1.0.0",
+      "preview": false,
+      "deprecated": false
+    },
+    "parameters": {
+      "SRCH-001_Effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "SRCH-001 Effect: Azure AI Search service should use a SKU that supports private link",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Deny"
+      },
+      "SRCH-002_Effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "SRCH-002 Effect: Configure Azure AI Search services to disable local authentication",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Modify",
+          "Disabled"
+        ],
+        "defaultValue": "Modify"
+      },
+      "SRCH-003_Effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "SRCH-003 Effect: Azure AI Search services should restrict public network access",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Deny"
+      }
+    },
+    "policyDefinitionGroups": [
+      {
+        "name": "ISO27001-2013_A.9.2.3",
+        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3"
+      },
+      {
+        "name": "ISO27001-2013_A.13.1.1",
+        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.1"
+      },
+      {
+        "name": "ISO27001-2013_A.13.1.3",
+        "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3"
+      }
+    ],
+    "policyDefinitions": [
+      {
+        "policyDefinitionReferenceId": "SRCH-001",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
+        "definitionVersion": "1.0.*",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('SRCH-001_Effect')]"
+          }
+        },
+        "groupNames": [
+          "ISO27001-2013_A.13.1.1"
+        ]
+      },
+      {
+        "policyDefinitionReferenceId": "SRCH-002",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75",
+        "definitionVersion": "2.0.*",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('SRCH-002_Effect')]"
+          }
+        },
+        "groupNames": [
+          "ISO27001-2013_A.9.2.3"
+        ]
+      },
+      {
+        "policyDefinitionReferenceId": "SRCH-003",
+        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
+        "definitionVersion": "1.0.*",
+        "parameters": {
+          "effect": {
+            "value": "[parameters('SRCH-003_Effect')]"
+          }
+        },
+        "groupNames": [
+          "ISO27001-2013_A.13.1.3"
+        ]
+      }
+    ]
+  }
+}
diff --git a/tests/policy-integration-tests/search/README.md b/tests/policy-integration-tests/search/README.md
@@ -0,0 +1,23 @@
+# Policy Integration Test - Policy Integration Test Cases for xxx
+
+## Introduction
+
+This folder contains a sample test case for xxx related policies.
+
+The test case is designed to test the following policy assignments:
+
+| Policy Assignment Name | Policy Assignment Scope | Description |
+| :--------------------- | :--------------------- | :---------- |
+| `pa-d-search` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for the Azure Search Service initiative |
+| `pa-d-pedns` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Private Endpoint DNS Records Policy Initiative (deploy DNS records for Private Endpoints) |
+| `pa-d-diag-settings` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Diagnostic Settings Policy Initiative (deploy diagnostic settings for all applicable Azure resources) |
+
+The following policies are in scope for testing:
+
+| Policy Assignment | Policy Reference ID | Policy Name | Policy Effect |
+| :---------------- | :---------------- | :------------ | :------------ |
+| `pa-d-search` | `SRCH-001` | Azure AI Search service should use a SKU that supports private link | Deny |
+| `pa-d-search` | `SRCH-002` | Configure Azure AI Search services to disable local authentication | Modify |
+| `pa-d-search` | `SRCH-003` | Azure AI Search services should restrict public network access | Deny |
+| `pa-d-diag-settings` | `DS-045` | Configure Diagnostic Setting for Azure Search Service | DeployIfNotExists |
+| `pa-d-pedns` | `PEDNS-017` | Private DNS Record for Azure Search Service Private Endpoint must exist | DeployIfNotExists |
diff --git a/tests/policy-integration-tests/search/config.json b/tests/policy-integration-tests/search/config.json
@@ -0,0 +1,16 @@
+{
+  "policyAssignmentIds": [
+    "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-pedns",
+    "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-search",
+    "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-diag-settings"
+  ],
+  "testName": "SearchService",
+  "searchServiceAssignmentName": "pa-d-search",
+  "diagSettingsAssignmentName": "pa-d-diag-settings",
+  "peDNSAssignmentName": "pa-d-pedns",
+  "testSubscription": "sub-d-lz-corp-01",
+  "testResourceGroup": "rg-ae-d-policy-test-search-001",
+  "location": "australiaeast",
+  "tagsForResourceGroup": false,
+  "removeTestResourceGroup": true
+}
diff --git a/tests/policy-integration-tests/search/main.bad.bicep b/tests/policy-integration-tests/search/main.bad.bicep
@@ -0,0 +1,34 @@
+metadata itemDisplayName = 'Test Template for AI Search Service'
+metadata description = 'This template deploys the testing resource for AI Search Service.'
+metadata summary = 'Deploys test AI Search Service resources that should violate some policy assignments.'
+
+// ============ //
+// variables    //
+// ============ //
+// Load the configuration file
+var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc')
+var localConfig = loadJsonContent('config.json')
+
+var location = localConfig.location
+var namePrefix = globalConfig.namePrefix
+
+// define template specific variables
+var serviceShort = 'srch3'
+
+resource searchService 'Microsoft.Search/searchServices@2026-03-01-preview' = {
+  name: '${namePrefix}${serviceShort}01'
+  location: location
+  sku: {
+    name: 'free' //This should violate policy SRCH-001: Azure AI Search service should use a SKU that supports private link, since free SKU does not support private link
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    hostingMode: 'Default'
+    publicNetworkAccess: 'Enabled' //This should violate policy SRCH-003: Azure AI Search services should restrict public network access
+    replicaCount: 1
+    partitionCount: 1
+    computeType: 'Default'
+  }
+}
diff --git a/tests/policy-integration-tests/search/main.good.bicep b/tests/policy-integration-tests/search/main.good.bicep
@@ -0,0 +1,34 @@
+metadata itemDisplayName = 'Test Template for AI Search Service'
+metadata description = 'This template deploys the testing resource for AI Search Service.'
+metadata summary = 'Deploys test AI Search Service resources that should comply with all policy assignments.'
+
+// ============ //
+// variables    //
+// ============ //
+// Load the configuration file
+var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc')
+var localConfig = loadJsonContent('config.json')
+
+var location = localConfig.location
+var namePrefix = globalConfig.namePrefix
+
+// define template specific variables
+var serviceShort = 'srch2'
+
+resource searchService 'Microsoft.Search/searchServices@2026-03-01-preview' = {
+  name: '${namePrefix}${serviceShort}01'
+  location: location
+  sku: {
+    name: 'standard' //This should comply with policy SRCH-001: Azure AI Search service should use a SKU that supports private link, since Basic SKU does not support private link
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    hostingMode: 'Default'
+    publicNetworkAccess: 'Disabled' //This should comply with policy SRCH-003: Azure AI Search services should restrict public network access
+    replicaCount: 1
+    partitionCount: 1
+    computeType: 'Default'
+  }
+}