Azure · Jul 11, 2019
diff --git a/‎.github/ISSUE_TEMPLATE/Alias_request.md
-29 b/‎.github/ISSUE_TEMPLATE/Alias_request.md
-29
diff --git a/‎.github/ISSUE_TEMPLATE/General.md
-7 b/‎.github/ISSUE_TEMPLATE/General.md
-7
diff --git a/‎.github/ISSUE_TEMPLATE/Policy_package_proposal.md
-35 b/‎.github/ISSUE_TEMPLATE/Policy_package_proposal.md
-35
diff --git a/‎.github/ISSUE_TEMPLATE/Problem_with_policy.md ‎.github/ISSUE_TEMPLATE/Sample_issue.md
+7-5 b/‎.github/ISSUE_TEMPLATE/Problem_with_policy.md ‎.github/ISSUE_TEMPLATE/Sample_issue.md
+7-5
diff --git a/‎1-contribution-guide/request-alias.md
-72 b/‎1-contribution-guide/request-alias.md
-72
diff --git a/‎README.md
+80-27 b/‎README.md
+80-27
@@ -1,12 +1,14 @@
 ---
-name: Problem with a policy
-about: If you have a problem, bug, or enhancement with a policy.
+name: Problem with a policy sample
+about: If you discover a problem, bug, or enhancement with a policy sample in this repository.
 ---
 <!--
-    Your feedback and support is greatly appreciated, thanks for contributing!
+    Your feedback and support of these samples is greatly appreciated, thanks for contributing!
+
+	**Note:** support for Azure Policy has transitioned to standard Azure support channels so this repository will no longer be monitored for support requests. Issues opened here are only to report specific problems with the samples published in this repository. Any other issues will be closed with a pointer to the README. Check [**here**](https://github.com/Azure/azure-policy#getting-support) for information about getting support for Azure Policy.
 
     ISSUE TITLE:
-    Please prefix the issue title with the policy package name, e.g.
+    Please prefix the issue title with the policy sample name, e.g.
     'PolicyName: Short description of my issue'
 
     ISSUE DESCRIPTION (this template):
@@ -31,7 +33,7 @@ about: If you have a problem, bug, or enhancement with a policy.
 <!--
     Please provide as much as possible about the target node, for example
     edition, version, build and language.
-    On OS with WMF 5.1 the following command can help get this information.
+    On OS with WMF 5.1 the following Powershell command can help get this information.
 
     Get-ComputerInfo -Property @(
         'OsName',
 
@@ -1,16 +1,26 @@
-# Azure Policy
+# Azure Policy Samples
 
-Check here for a current list of [**known issues**](#known-issues).
+This repository contains samples of Azure Policies that can be used as reference for creating and assigning policies to your subscriptions and resource groups. For additional samples with descriptions, see [Policy samples](https://docs.microsoft.com/azure/governance/policy/samples/) on docs.microsoft.com.
 
-## Alias Requests
+## Contributing
+
+To get started contributing to the samples, please visit our [**contribution guide**](./1-contribution-guide/README.md#contribution-guide).
+
+## Reporting Samples Issues
+
+If you discover a problem with any of the samples published here that isn't already reported in [**Issues**](https://github.com/Azure/azure-policy/issues), open a [**New issue**](https://github.com/Azure/azure-policy/issues/new/choose).
 
-[**Requesting Policy Aliases**](#requesting-policy-aliases)
+# Azure Policy Support
 
-## Samples
+Support for Azure Policy has transitioned to standard Azure support channels so this repository will no longer be monitored for support requests. Issues opened here are only to report specific problems with the samples published in this repository. Any other issues will be closed with a pointer to this notice. Check [**here**](#getting-support) for information about getting support for Azure Policy.
 
-This repository contains samples of Azure Policies that can be used as reference for creating and assigning policies to your subscriptions and resource groups. For a full list of samples with descriptions, see [Policy samples](https://docs.microsoft.com/azure/governance/policy/samples/) on docs.microsoft.com.
+# Azure Policy Known Issues
 
-### Articles
+Check here for a current list of [**known issues**](#known-issues) for Azure Policy.
+
+# Azure Policy Resources
+
+## Articles
 
 - [Azure Policy overview](https://docs.microsoft.com/azure/governance/policy/overview)
 - [How to assign policies using the Azure portal](https://docs.microsoft.com/azure/governance/policy/assign-policy-portal)
@@ -23,7 +33,7 @@ This repository contains samples of Azure Policies that can be used as reference
 - [Get compliance data](https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data)
 - [Remediate non-compliant resources](https://docs.microsoft.com/azure/governance/policy/how-to/remediate-resources)
 
-### References
+## References
 
 - [Azure CLI](https://docs.microsoft.com/cli/azure/policy)
 - Azure PowerShell
@@ -39,64 +49,107 @@ This repository contains samples of Azure Policies that can be used as reference
   - [Remediations](https://docs.microsoft.com/rest/api/policy-insights/remediations)
   - [Guest Configuration (preview)](https://docs.microsoft.com/rest/api/guestconfiguration/)
 
-### Other
+## Other
 
 - [Video - Build 2018](https://channel9.msdn.com/events/Build/2018/THR2030)
 
-## Contributing
+## Getting Support
+
+The general Azure Policy support role of this repository has transitioned to standard Azure support channels. See below for information about getting support help for Azure Policy.
+
+### Alias Requests
+
+An alias enables you to restrict what values or conditions are permitted for a *property* on a resource. Each alias maps to the paths in different API versions for a given resource type. During policy evaluation, the policy engine gets the property path for that API version.
+See the documentation page on aliases [**here**](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#aliases). For additional information about Azure Policy and aliases, visit this [**blog post**](https://azure.microsoft.com/blog/more-resource-policy-aliases/).
+
+Previously, this repository was the official channel to open requests for new aliases. Since the full set of aliases for most namespaces have now been published, support for requesting aliases is now handled by Azure Customer Support. Open a new [**Azure Customer Support ticket**](https://azure.microsoft.com/support/create-ticket/) if you believe you need new aliases to be published.
+
+[**This page**](https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#aliases) documents the commands for discovering existing aliases.
+
+### General Questions
+
+If you have questions you haven't been able to answer from the [**Azure Policy documentation**](https://docs.microsoft.com/azure/governance/policy), there are a few places that host discussions on Azure Policy:
+
+ - [Microsoft Tech Community](https://techcommunity.microsoft.com/) [**Azure Governance conversation space**](https://techcommunity.microsoft.com/t5/Azure-Governance/bd-p/AzureGovernance)
+ - Join the Monthly Call on Azure Governance (register [here](https://aka.ms/joinazuregovernance))
+ - Search old [**issues in this repo**](https://github.com/Azure/azure-policy/issues)
+ - Search or add to Azure Policy discussions on [**StackOverflow**](https://stackoverflow.com/questions/tagged/azure-policy+or+azure+policy)
 
-To contribute and get started, please visit our [**contribution guide**](./1-contribution-guide/README.md#contribution-guide).
+If your questions are more in-depth or involve information that is not public, open a new [**Azure Customer Support ticket**](https://azure.microsoft.com/support/create-ticket/).
 
-## Requesting Policy Aliases
+### Documentation Corrections
 
-To request a new alias, please open a new issue following the instructions [**here**](./1-contribution-guide/request-alias.md)
+To report issues in the Azure Policy online documentation, look for a feedback area at the bottom of the page. If you don't see a place to enter feedback, you can also directly open a new issue at the [**Microsoft Docs GitHub**](https://github.com/MicrosoftDocs/feedback/issues).
+
+### New built-in Policy Proposals
+
+If you have ideas for new built-in policies you want to suggest to Microsoft, you can submit them to [**Azure Governance User Voice**](https://feedback.azure.com/forums/915958-azure-governance). These suggestions are actively reviewed and prioritized for implementation.
+
+### Other Support for Azure Policy
+
+If you are encountering livesite issues or difficulties in implementing new policies that may be due to problems in Azure Policy itself, open a support ticket at [**Azure Customer Support**](https://azure.microsoft.com/support/create-ticket/). If you want to submit an idea for consideration, add an idea or upvote an existing idea at [**Azure Governance User Voice**](https://feedback.azure.com/forums/915958-azure-governance).
 
 ## Known Issues
 
-Azure Policy operates at a level above other Azure services by applying policy rules against PUT requests and GET responses of resource types going between Azure Resource Manager and the owning resource provider (RP). In a few cases, the behavior of a given RP is unexpected or incompatible in some way with Azure Policy. The Azure Policy team works with the RP teams to close these gaps as soon as possible after they are discovered. Issues of this nature will be listed here until closed. To get something added to this list that isn't already reported in [**Issues**](https://github.com/Azure/azure-policy/issues), open a [**New issue**](https://github.com/Azure/azure-policy/issues/new/choose).
+Azure Policy operates at a level above other Azure services by applying policy rules against PUT requests and GET responses of resource types going between Azure Resource Manager and the owning resource provider (RP). In a few cases, the behavior of a given RP is unexpected or incompatible in some way with Azure Policy. The Azure Policy team works with the RP teams to close these gaps as soon as possible after they are discovered. Issues of this nature will be listed here until closed.
 
-All cases of known resource types with anomalous policy behavior are listed here. Currently there is no way to make these resource types invisible at policy authoring time, so writing policies that attempt to manage these resource types cannot be prevented, despite the fact that the results of such policies will be either incomplete or incorrect.
+All cases of known resource types with anomalous policy behavior are listed here. Currently there is no way to make these resource types invisible at policy authoring time, so writing policies that attempt to manage these resource types cannot be prevented, despite the fact that the results of such policies may be either incomplete or incorrect.
 
 ### Resource Type query results incomplete/missing
 
-In some cases, certain RPs may return incomplete or otherwise limited or missing information about resources of a given type. The Azure Policy engine is unable to determine the compliance of any resources of such a type. Here are the known resource types with this problem.
+In some cases, certain RPs may return incomplete or otherwise limited or missing information about resources of a given type. The Azure Policy engine is unable to determine the compliance of any resources of such a type. Below are listed the known resource types exhibiting this problem.
 
 - Microsoft<span></span>.Web/sites/siteConfig
 - Microsoft<span></span>.Web/sites/config/* (except Microsoft<span></span>.Web/sites/config/web)
 
-Currently, there is no plan to change this behavior. If this scenario is important to you, please open a support ticket with the Web team.
+Currently, there is no plan to change this behavior for the above Microsoft.Web resource types. If this scenario is important to you, please [open a support ticket](https://azure.microsoft.com/support/create-ticket/) with the Web team.
+
+- Microsoft.HDInsights/clusters/computeProfile.roles[*].scriptActions
+- Microsoft.Sql/servers/auditingSettings
+
+The potential for fixing these resource types is still under investigation.
 
 ### Resource Type not correctly published by resource provider
 
 In some cases, a resource provider may implement a resource type, but not correctly publish it to the Azure Resource Manager. The result of this is that Azure Policy is unable to discover the type in order to determine compliance. In some cases, this still allows deny policies to work, but compliance results will usually be incorrect. These resource types exhibit this behavior:
 
-- Microsoft.EventHub/namespaces/networkRuleSet
-- Microsoft.ServiceBus/namespaces/networkRuleSet
 - Microsoft.Storage/storageAccounts/blobServices
 
-In many of these cases the unpublished resource type is actually a subtype of a published type, which causes aliases to refer to a parent type instead of the unpublished type. Evaluation of such policies fails, causing the policy to never apply to any resource. Here are the known resource types with this problem:
+These resource types previously exhibited this behavior, but are now removed:
+
+- Microsoft.EventHub/namespaces/networkRuleSet (replaced by Microsoft.EventHub/namespaces/networkruleset**s**)
+- Microsoft.ServiceBus/namespaces/networkRuleSet (replaced by Microsoft.ServiceBus/namespaces/networkruleset**s**)
+
+In some cases the unpublished resource type is actually a subtype of a published type, which causes aliases to refer to a parent type instead of the unpublished type. Evaluation of such policies fails, causing the policy to never apply to any resource. Here are the known resource types with this problem:
 
-- Microsoft.EventHub/namespaces/networkRuleSets
-- Microsoft.ServiceBus/namespaces/networkRuleSets
 - Microsoft.ApiManagement/service/portalsettings/delegation
-- Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies
 
-All of these are in the process of being addressed with the various resource provider teams. We will update this notice as things change.
+All of the above resource types are in the process of being fixed by the various resource provider teams. We will update this notice as things change.
+
+These resource types previously exhibited this behavior but have been fixed:
+
+- Microsoft.EventHub/namespaces/networkrulesets
+- Microsoft.ServiceBus/namespaces/networkrulesets
+- Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies
 
 ### Resource management that bypasses Azure Resource Manager
 
-Resource providers are free to implement their own resource management operations outside of Azure Resource Manager ("dataplane" operations). In almost every Azure resource type, the distinction between resource management and dataplane operations is clear and the resource provider only implements resource management one way. Occasionally, a resource provider may choose to implement a type that can be managed both ways. In this case, Azure Policy controls the standard Azure Resource Manager API normally, but operations on the direct resource provider API to create, modify and delete resources of that type bypass Azure Resource Manager so they are invisible to Azure Policy. Since policy enforcement is incomplete, we recommend that customers do not implement policies targeting such a resource type. Currently there is one such known resource type:
+Resource providers are free to implement their own resource management operations outside of Azure Resource Manager ("dataplane" operations). In almost every Azure resource type, the distinction between resource management and dataplane operations is clear and the resource provider only implements resource management one way. Occasionally, a resource provider may choose to implement a type that can be managed both ways. In this case, Azure Policy controls the standard Azure Resource Manager API normally, but operations on the direct resource provider API to create, modify and delete resources of that type bypass Azure Resource Manager so they are invisible to Azure Policy. Since policy enforcement is incomplete, we recommend that customers do not implement policies targeting such a resource type. This is the list of known such resource types:
 
 - Microsoft.Storage/storageAccounts/blobServices/containers
 
 The storage team is working on implementing Azure Policy on its dataplane operations to address this scenario. This is expected to first be available later this year.
 
+ - Microsoft.Sql/firewallRules
+
+Firewall rules can be created/deleted/modified via T-SQL commands, which bypasses Azure Policy. There is currently no plan to address this.
+
 ### Nonstandard creation pattern
 
-In a few instances, the creation pattern of a resource type doesn't follow normal REST patterns. In these cases, deny policies may not work or may only work for some properties. For example, certain resource types may PUT only a subset of the properties of the resource type to create the entire resource. With such types the resource could be created with a non-compliant value even though a deny policy exists to prevent it. A similar result may occur if a set of resource types can be created using a collection PUT. Known resource types that exhibit this behavior:
+In a few instances, the creation pattern of a resource type doesn't follow normal REST patterns. In these cases, deny policies may not work or may only work for some properties. For example, certain resource types may PUT only a subset of the properties of the resource type to create the entire resource. With such types the resource could be created with a non-compliant value even though a deny policy exists to prevent it. A similar result may occur if a set of resource types can be created using a collection PUT. Known resource types that exhibit this class of behavior:
 
 - Microsoft.Sql/servers/firewallRules
 
-The SQL team is working with the Azure Resource Manager team on changes that will implement firewall rule creation using a standard PUT method. This is expected to be available later this year.
+There is currently no plan to change this behavior. If this scenario is important to you, please [open a support ticket](https://azure.microsoft.com/support/create-ticket/) with the Azure SQL team.
 
 *This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.*