SLZ Sync creates unmapped policy assignments

[neok-g]

The command Sync-ALZPolicyFromLibrary -DefinitionsRootFolder .\Definitions\ -Type SLZ -PacEnvironmentSelector non-production -EnableOverrides -CreateGuardrailAssignments creates the following new policy assignments below:

However, they are not mapped to any management group. The assignment files contain an empty scope:

  "scope": {
    "non-production": [
      null
    ]
  }

Further I do see they have a parent node something like sovereign_l1_controls e.g. sovereign_l1_controls/Enforce-Sov-L1-Regions.

So how should I map these to existing management groups?

[anwather]

The ALZ team have made some substantial changes to how SLZ assignments align, I have some code ready to adjust to this but it will be breaking change - i.e you will have to generate a new structure file for SLZ before syncing.

[neok-g]

@anwather OK. I will give it a try once you are ready. They apparently also removed the policy assignment Enforce-Sovereign-Global.jsonc

[anwather]

Yeah there were some big changes - there is branch in GitHub (aw/issue1292) if you want to test the fix before I push it

…

________________________________ From: neok-g ***@***.***> Sent: Friday, May 8, 2026 5:24 PM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Mention ***@***.***>; Comment ***@***.***>; Assign ***@***.***>; Subscribed ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] SLZ Sync creates unmapped policy assignments (Issue #1292) @anwather<https://github.com/anwather> OK. I will give it a try once you are ready. They apparently also removed the policy assignment Enforce-Sovereign-Global.jsonc — Reply to this email directly, view it on GitHub<#1292 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVQ2TRIMYEFKGLK553T4ZWDT5BFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZFAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGQZTSMJYGM2DQMRYVJQXI5DSNFRHK5DFOOLIFJLWMFWHKZNEORZHKZNENZQW2ZN3ORUHEZLBMRPXAYLSORUWG2LQMFXHIX3BMN2GS5TJOR4YFJLWMFWHKZNEORZHKZNENZQW2ZNOO5QXIY3IL5QWG5DJOZUXI6MCUV3GC3DVMWSWS43TOVS2I3TBNVS2W5DIOJSWCZC7OR4XAZMCUV3GC3DVMWTTGMRSHA4DCMFENZQW2ZNIMFRXI33SL5UWJAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKZRGA4DSMZUHE2DQOJSURXGC3LFVFUGC427NRQWEZLM>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[neok-g]

@anwather I will try this out today or tomorrow. Thanks again!

[neok-g]

@anwather Some feedback:

• Question: I do see the purpose of archetypeScopeMappings but can this not be included in the already existing managementGroupNameMappings. Or is this to map managementgroup(s) to policy assignment nodes that do not exist within the managementGroupName mapping list?

• The overrides for archetypes does not seem to work properly. The 2 policy assignments are not removed when syncing with the -EnableOverrides switch. The ignore however still works so everything for sovereign_l3_controls is removed.

  "overrides": {
    "archetypes": {
      "custom": [
        {
          "name": "sovereign_l2_controls",
          "type": "existing",
          "policy_assignments_to_add": [],
          "policy_assignments_to_remove": [
            "Enforce-Sov-L2-CMKM",
            "Enforce-Sov-L2-CMKP"
          ]
        }
      ],
      "ignore": [
        "sovereign_l3_controls"
      ]
    },

• Off-topic: if I run Sync-ALZPolicyFromLibrary.ps1 I always get this error:

[anwather]

Thanks will have a look tomorrow, good Pickup on the other error, looks like a missing bracket in a PR done today Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: neok-g ***@***.***> Sent: Tuesday, May 12, 2026 6:29:30 PM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Mention ***@***.***>; Comment ***@***.***>; Assign ***@***.***>; Subscribed ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] SLZ Sync creates unmapped policy assignments (Issue #1292) @anwather<https://github.com/anwather> Some feedback: * Question: I do see the purpose of archetypeScopeMappings but can this not be included in the already existing managementGroupNameMappings. Or is this to map managementgroup(s) to policy assignment nodes that do not exist within the managementGroupName mapping list? * The overrides for archetypes does not seem to work properly. The 2 policy assignments are not removed when syncing with the -EnableOverrides switch. The ignore however still works so everything for sovereign_l3_controls is removed. "overrides": { "archetypes": { "custom": [ { "name": "sovereign_l2_controls", "type": "existing", "policy_assignments_to_add": [], "policy_assignments_to_remove": [ "Enforce-Sov-L2-CMKM", "Enforce-Sov-L2-CMKP" ] } ], "ignore": [ "sovereign_l3_controls" ] }, * Off-topic: if I run Sync-ALZPolicyFromLibrary.ps1 I always get this error: image.png (view on web)<https://github.com/user-attachments/assets/be74b788-1e17-4ca4-929c-d2081f15b916> — Reply to this email directly, view it on GitHub<#1292 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVX2RABHRFSBVJKDPNT42LOGXBFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZFAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGQZTSMJYGM2DQMRYVJQXI5DSNFRHK5DFOOLIFJLWMFWHKZNEORZHKZNENZQW2ZN3ORUHEZLBMRPXAYLSORUWG2LQMFXHIX3BMN2GS5TJOR4YFJLWMFWHKZNEORZHKZNENZQW2ZNOO5QXIY3IL5QWG5DJOZUXI6MCUV3GC3DVMWSWS43TOVS2I3TBNVS2W5DIOJSWCZC7OR4XAZMCUV3GC3DVMWTTGMRSHA4DCMFENZQW2ZNIMFRXI33SL5UWJAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKZRGA4DSMZUHE2DQOJSURXGC3LFVFUGC427NRQWEZLM>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[anwather]

Question: I do see the purpose of archetypeScopeMappings but can this not be included in the already existing managementGroupNameMappings. Or is this to map managementgroup(s) to policy assignment nodes that do not exist within the managementGroupName mapping list?

Yes - but I might clean it up and just put the sovereign groups in there

@neok-g Check branch aw/issue1292_v2 - overrides should be fixed and the archetype mappings only include the sovereign types

[neok-g]

@anwather I was a few days out of office. I will check your new branch today.

[neok-g]

There seems some strange behavior with the initial sync. Steps to reproduce:

1. Used aw/issue1292_v2
2. Remove SLZ default structure files and the SLZ policyassignments folder
3. Run New-ALZPolicyDefaultStructure script
4. Do not apply any overrides or customizations in the generated SLZ default structure file
5. Run Sync-ALZPolicyFromLibrary script. It generates the following output:

  • Policy default structure file: C:\Workspaces\src\enterprise-azure-policy-as-code-1\Definitions\policyStructures\slz.policy_default_structure.non-production.jsonc
  • Overrides enabled: Custom management group structures and assignments will be used where available.
  ⚠ Custom archetype 'sovereign_l2_controls' not found in management group mappings. Skipping.
  ⚠ Custom archetype 'sovereign_l3_controls' not found in management group mappings. Skipping.

    Directory: C:\Workspaces\src\enterprise-azure-policy-as-code-1\Definitions\policyAssignments\SLZ\non-production\Public

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---           5/19/2026  9:47 AM           1814 Deny-L3-IP-Routing.jsonc
  • Ignoring archetype: sovereign_l1_controls

    Directory: C:\Workspaces\src\enterprise-azure-policy-as-code-1\Definitions\policyAssignments\SLZ\non-production\sovereign_l2_controls

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---           5/19/2026  9:47 AM           1803 Enforce-Sov-L2-TLS.jsonc
-a---           5/19/2026  9:47 AM           1723 Enforce-Sov-L2-HTTPS.jsonc
-a---           5/19/2026  9:47 AM           1763 Enforce-Sov-L2-CMKP.jsonc
-a---           5/19/2026  9:47 AM           1769 Enforce-Sov-L2-CMKM.jsonc

    Directory: C:\Workspaces\src\enterprise-azure-policy-as-code-1\Definitions\policyAssignments\SLZ\non-production\sovereign_l3_controls

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---           5/19/2026  9:47 AM          15985 Enforce-Sov-L3-Conf.jsonc
✓ ALZ Policy sync completed successfully

Some things that are remarkable:

• 2 warnings for sovereign_l2_controls and sovereign_l3_controls not found in management group mappings but not for sovereign_l1_controls?
• And sovereign_l1_controls is completely ignored: • Ignoring archetype: sovereign_l1_controls

[neok-g]

Still the ParserError in both Sync-ALZPolicyFromLibrary.ps1 and New-ALZPolicyDefaultStructure.ps1

PS C:\Workspaces\src\enterprise-azure-policy-as-code-1> . 'C:\Workspaces\src\enterprise-azure-policy-as-code-1\Scripts\CloudAdoptionFramework\Sync-ALZPolicyFromLibrary.ps1'
ParserError: C:\Workspaces\src\enterprise-azure-policy-as-code-1\Scripts\Helpers\Out-DocumentationForPolicySets.ps1:1:41
Line |
   1 |  function Out-DocumentationForPolicySets {
     |                                          ~
     | Missing closing '}' in statement block or type definition.

[neok-g]

Removing policy assignments via the overrides now seems to work properly. The following policy assignments are all removed after syncing. However sovereign_l1_controls is still completely ignore while I do not exclude it.

  "overrides": {
    "archetypes": {
      "custom": [
        {
          "name": "sovereign_l2_controls",
          "type": "existing",
          "policy_assignments_to_add": [],
          "policy_assignments_to_remove": [            
            "Enforce-Sov-L2-CMKM",
            "Enforce-Sov-L2-CMKP",
            "Enforce-Sov-L2-HTTPS",
            "Enforce-Sov-L2-TLS"
          ]
        },
        {
          "name": "sovereign_l3_controls",
          "type": "existing",
          "policy_assignments_to_add": [],
          "policy_assignments_to_remove": [            
            "Enforce-Sov-L3-Conf"
          ]
        }       
      ],
      "ignore": []
    }
  }    

[anwather]

I'll have a look tomorrow, not sure where I got up to on this one... Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: neok-g ***@***.***> Sent: Tuesday, 19 May 2026 17:55:59 To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Assign ***@***.***>; Subscribed ***@***.***>; Comment ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] SLZ Sync creates unmapped policy assignments (Issue #1292) Removing policy assignments via the overrides now seems to work properly. The following policy assignments are all removed after syncing. However sovereign_l1_controls is still completely ignore while I do not exclude it. "overrides": { "archetypes": { "custom": [ { "name": "sovereign_l2_controls", "type": "existing", "policy_assignments_to_add": [], "policy_assignments_to_remove": [ "Enforce-Sov-L2-CMKM", "Enforce-Sov-L2-CMKP", "Enforce-Sov-L2-HTTPS", "Enforce-Sov-L2-TLS" ] }, { "name": "sovereign_l3_controls", "type": "existing", "policy_assignments_to_add": [], "policy_assignments_to_remove": [ "Enforce-Sov-L3-Conf" ] } ], "ignore": [] } } — Reply to this email directly, view it on GitHub<#1292 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVXYD37FKCFVTY6Q3ZT43QHQ7BFHORZGSZ3HMVZKMY3SMVQXIZNMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZFAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTGMZXGE3DEOBTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGQZTSMJYGM2DQMRYVJQXI5DSNFRHK5DFOOLIFJLWMFWHKZNEORZHKZNENZQW2ZN3ORUHEZLBMRPXAYLSORUWG2LQMFXHIX3BMN2GS5TJOR4YFJLWMFWHKZNEORZHKZNENZQW2ZNOO5QXIY3IL5QWG5DJOZUXI6MCUV3GC3DVMWSWS43TOVS2I3TBNVS2W5DIOJSWCZC7OR4XAZMCUV3GC3DVMWTTGMRSHA4DCMFENZQW2ZNIMFRXI33SL5UWJAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKZRGA4DSMZUHE2DQOJSURXGC3LFVFUGC427NRQWEZLM>. You are receiving this email because you were assigned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.