Azure · taoyangcloud · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json
@@ -51,7 +51,16 @@
         ]
       }
     },
-    "nonComplianceMessages": [],
+    "nonComplianceMessages": [
+      {
+        "policyDefinitionReferenceId": "COG-006",
+        "message": "PolicyID: COG-006 Violation in polset-cognitive-service Initiative - 'Only approved OpenAI models are allowed to be deployed in Cognitive Services'"
+      },
+      {
+        "policyDefinitionReferenceId": "COG-007",
+        "message": "PolicyID: COG-007 Violation in polset-cognitive-service Initiative - 'Only approved xAI models are allowed to be deployed in Cognitive Services'"
+      }
+    ],
     "roleDefinitionIds": [
       "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
     ]

diff --git a/policyAssignments/dev/pa-d-pedns.json b/policyAssignments/dev/pa-d-pedns.json
@@ -71,7 +71,76 @@
     "roleDefinitionIds": [
       "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
     ],
-    "nonComplianceMessages": []
+    "nonComplianceMessages": [
+      {
+        "policyDefinitionReferenceId": "PEDNS-001",
+        "message": "PolicyID: PEDNS-001 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Backup Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-002",
+        "message": "PolicyID: PEDNS-002 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage blob Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-003",
+        "message": "PolicyID: PEDNS-003 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage file Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-004",
+        "message": "PolicyID: PEDNS-004 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage dfs Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-005",
+        "message": "PolicyID: PEDNS-005 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Key Vault Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-006",
+        "message": "PolicyID: PEDNS-006 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure App Service Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-007",
+        "message": "PolicyID: PEDNS-007 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Event Hub Namespace Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-008",
+        "message": "PolicyID: PEDNS-008 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks Browser Auth Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-009",
+        "message": "PolicyID: PEDNS-009 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks UI API Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-010",
+        "message": "PolicyID: PEDNS-010 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Data Explorer Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-011",
+        "message": "PolicyID: PEDNS-011 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Monitor Private Link Scope Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-012",
+        "message": "PolicyID: PEDNS-012 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Container Registry Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-013",
+        "message": "PolicyID: PEDNS-013 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Health Data Services Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-014",
+        "message": "PolicyID: PEDNS-014 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Container App Managed Environment Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-015",
+        "message": "PolicyID: PEDNS-015 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for App Services slots Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-016",
+        "message": "PolicyID: PEDNS-016 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cognitive Service Accounts Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-017",
+        "message": "PolicyID: PEDNS-017 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cosmos DB SQL Private Endpoint must be configured'"
+      }
+    ]
   },
   "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV",
   "managementGroupId": "CONTOSO-DEV"

diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json
@@ -51,7 +51,16 @@
         ]
       }
     },
-    "nonComplianceMessages": [],
+    "nonComplianceMessages": [
+      {
+        "policyDefinitionReferenceId": "COG-006",
+        "message": "PolicyID: COG-006 Violation in polset-cognitive-service Initiative - 'Only approved OpenAI models are allowed to be deployed in Cognitive Services'"
+      },
+      {
+        "policyDefinitionReferenceId": "COG-007",
+        "message": "PolicyID: COG-007 Violation in polset-cognitive-service Initiative - 'Only approved xAI models are allowed to be deployed in Cognitive Services'"
+      }
+    ],
     "roleDefinitionIds": [
       "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
     ]

diff --git a/policyAssignments/prod/pa-p-pedns.json b/policyAssignments/prod/pa-p-pedns.json
@@ -71,7 +71,76 @@
     "roleDefinitionIds": [
       "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
     ],
-    "nonComplianceMessages": []
+    "nonComplianceMessages": [
+      {
+        "policyDefinitionReferenceId": "PEDNS-001",
+        "message": "PolicyID: PEDNS-001 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Backup Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-002",
+        "message": "PolicyID: PEDNS-002 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage blob Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-003",
+        "message": "PolicyID: PEDNS-003 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage file Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-004",
+        "message": "PolicyID: PEDNS-004 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage dfs Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-005",
+        "message": "PolicyID: PEDNS-005 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Key Vault Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-006",
+        "message": "PolicyID: PEDNS-006 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure App Service Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-007",
+        "message": "PolicyID: PEDNS-007 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Event Hub Namespace Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-008",
+        "message": "PolicyID: PEDNS-008 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks Browser Auth Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-009",
+        "message": "PolicyID: PEDNS-009 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks UI API Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-010",
+        "message": "PolicyID: PEDNS-010 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Data Explorer Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-011",
+        "message": "PolicyID: PEDNS-011 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Monitor Private Link Scope Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-012",
+        "message": "PolicyID: PEDNS-012 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Container Registry Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-013",
+        "message": "PolicyID: PEDNS-013 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Health Data Services Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-014",
+        "message": "PolicyID: PEDNS-014 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Container App Managed Environment Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-015",
+        "message": "PolicyID: PEDNS-015 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for App Services slots Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-016",
+        "message": "PolicyID: PEDNS-016 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cognitive Service Accounts Private Endpoint must be configured'"
+      },
+      {
+        "policyDefinitionReferenceId": "PEDNS-017",
+        "message": "PolicyID: PEDNS-017 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cosmos DB SQL Private Endpoint must be configured'"
+      }
+    ]
   },
   "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO",
   "managementGroupId": "CONTOSO"

diff --git a/scripts/pipelines/helper/resource-removal-helper.ps1 b/scripts/pipelines/helper/resource-removal-helper.ps1
@@ -691,6 +691,58 @@ function invokeResourceRemoval {
       }
       break
     }
+    'Microsoft.Network/networkSecurityGroups' {
+      $subscriptionId = $ResourceId.Split('/')[2]
+      $networkSecurityGroup = Get-AzResource -ResourceId $ResourceId
+      $networkWatcherName = "NetworkWatcher_$($networkSecurityGroup.Location)"
+      $networkWatcherResourceGroupName = "NetworkWatcherRG"
+      $flowLogName = $networkSecurityGroup.Name + '-flowlog'
+
+      $flowLogResourceId = '/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/networkWatchers/{2}/flowLogs/{3}' -f `
+        $subscriptionId, `
+        $networkWatcherResourceGroupName, `
+        $networkWatcherName, `
+        $flowLogName
+
+      # Remove Flow Log associated with NSG
+      if ($PSCmdlet.ShouldProcess("Resource with ID [$flowLogResourceId]", 'Remove')) {
+        Write-Verbose ('[-] Removing resource [{0}] of type [Microsoft.Network/networkWatchers/flowLogs]' -f $flowLogName) -Verbose
+        $null = Remove-AzResource -ResourceId $flowLogResourceId -Force -ErrorAction 'Stop'
+      }
+
+      # Actual removal
+      # --------------
+      if ($PSCmdlet.ShouldProcess("Resource with ID [$ResourceId]", 'Remove')) {
+        $null = Remove-AzResource -ResourceId $ResourceId -Force -ErrorAction 'Stop'
+      }
+      break
+    }
+    'Microsoft.Network/virtualNetworks' {
+      $subscriptionId = $ResourceId.Split('/')[2]
+      $vnet = Get-AzResource -ResourceId $ResourceId
+      $networkWatcherName = "NetworkWatcher_$($vnet.Location)"
+      $networkWatcherResourceGroupName = "NetworkWatcherRG"
+      $flowLogName = $vnet.Name + '-flowlog'
+
+      $flowLogResourceId = '/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/networkWatchers/{2}/flowLogs/{3}' -f `
+        $subscriptionId, `
+        $networkWatcherResourceGroupName, `
+        $networkWatcherName, `
+        $flowLogName
+
+      # Remove Flow Log associated with VNet
+      if ($PSCmdlet.ShouldProcess("Resource with ID [$flowLogResourceId]", 'Remove')) {
+        Write-Verbose ('[-] Removing resource [{0}] of type [Microsoft.Network/networkWatchers/flowLogs]' -f $flowLogName) -Verbose
+        $null = Remove-AzResource -ResourceId $flowLogResourceId -Force -ErrorAction 'Stop'
+      }
+
+      # Actual removal
+      # --------------
+      if ($PSCmdlet.ShouldProcess("Resource with ID [$ResourceId]", 'Remove')) {
+        $null = Remove-AzResource -ResourceId $ResourceId -Force -ErrorAction 'Stop'
+      }
+      break
+    }
     ### CODE LOCATION: Add custom removal action here
     Default {
       if ($PSCmdlet.ShouldProcess("Resource with ID [$ResourceId]", 'Remove')) {