According to https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies then "Deploy Microsoft Defender for Cloud configuration" should be deployed to Intermediate Root Group and "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters" to Landing Zones MG.

However, Deploy Azure Policy Add-on to Azure Kubernetes Service clusters is already part of Deploy Microsoft Defender for Cloud configuration so it doesn't make sense to have a single policy assignment on a lower scope for "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters".

Hi @vegazbabz, thanks again for submitting this. We added an item to our backlog to address this #ab34447, that we'll only get round to during the next policy refresh cycle.

Feel free to submit contributions to this repo, to speed up the process.

This has been resolved and merged #1710. Will become public as part of the next Policy Refresh. Closing as no further action required.