Privatelink.blob.core.windows.net disallowed by policy, can't upgrade/deploy .7

[lundejd]

We have a policy against new private link DNS zones being created, so .7 is failing to deploy.

I can see it's trying to deploy new networking components - guessing this required now for dataexplorer. Seems like it wants to create them even if I don't give a name for the data explorer (which I assume would mean it would only deploy the storage components like .6 did) I wasn't going to mess with the data explorer yet and only wanted to upgrade my hub with the components that exist.

I reviewed with my team to get an exception but the names used are not to our standard. Is there a way to add a prefix option to things like privatelink.blob.core.windows.net so it's not so generic? Looks like it wants to create about 6 private dns zones, all with generic names. We have very strict naming standards so they will likely grant one if this can be modified.

[variables('hubDataExplorerName')].blob.core.windows.net for example would be better. There are 11 instances privatelink.blob and 5 of the others in the template, if I do a search and replace of those names would it break things?

Just FYI my error when I try deploy is this:

Resource 'privatelink.blob.core.windows.net' was disallowed by policy. Reasons: 'CompanyX Security - You may not create new Private Link DNS Zones. Azure Policy will pick up the new Private Link and set it to the CompanyX Private DNS Zone within the hour.'. See error details for policy resource IDs. (Code: RequestDisallowedByPolicy, Target: privatelink.blob.core.windows.net)

[flanakin]

Private endpoints is not required for Data Explorer. We just added both in the same timeframe.

Does this customer require private endpoints, but they just don't allow us creating them? Or they don't want the use of private endpoints at all? If the latter, 0.8 will not require a vnet for public access, which may help. If they don't allow others creating them, then we may need to have them pre-created.

/cc @MSBrett