GR9 | Validation 3 | Logic Shift - Independent Subscription Compliance to Tenant Wide Compliance

[MathesonSho]

Azure CaC current version
v2.1.5

Is your feature request related to a problem? Please describe.
Current evaluation gives a compliance status on Compliant, non-compliant and not applicable per subscription which is working as expected.

In reality, departments are likely to use one firewall and route each subscriptions traffic through that firewall (configured in another subscription). There may be some cases where many tools are used, however; in general there's not likely to be duplication in every single subscription.

Describe the solution you'd like

Phase 1 Improvement...
Each subscription is required to be evaluated however, in the event a firewall or a Application Gateway with WAF enabled is found the status for one validation called Tools In Use For Limiting Access To Authorized Source IP Addresses (M) will be compliant.

If there isn't anything present that meets the criteria across the tenant then the validation will be non-compliant.

For MCUP scenarios the profile tag will be used to determine which subscriptions to include and exclude from the check. i.e., it could skip over ones that are Not Applicable.

Describe alternatives you've considered
Another option would be continue checking each subscription. i.e., 3 subs in the environment and 1 sub has a firewall. The compliance results for all of them update to the status of the one subscription and refer to that in comments. "this subscription is compliant due to there being a firewall present in "subscription name".

Additional context
There are further options for the team to evaluate together. Provide some suggestions.