{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
      "targetMG": {
          "type": "string",
          "metadata": {
              "description": "Target Management Group"
          }
      },
      "allowedLocations": {
          "type": "array",
          "defaultValue": [
              "westeurope",
              "northeurope"
          ],
          "metadata": {
              "description": "An array of the allowed locations, all other locations will be denied by the created policy."
          }
      }
  },
  "variables": {
      "mgScope": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('targetMG'))]",
      "policyDefinition": "LocationRestriction"
  },
  "resources": [
      {
          "type": "Microsoft.Authorization/policyDefinitions",
          "name": "[variables('policyDefinition')]",
          "apiVersion": "2019-09-01",
          "properties": {
              "policyType": "Custom",
              "mode": "All",
              "parameters": {
              },
              "policyRule": {
                  "if": {
                      "not": {
                          "field": "location",
                          "in": "[parameters('allowedLocations')]"
                      }
                  },
                  "then": {
                      "effect": "deny"
                  }
              }
          }
      },
      {
          "type": "Microsoft.Authorization/policyAssignments",
          "name": "location-lock",
          "apiVersion": "2019-09-01",
          "dependsOn": [
              "[variables('policyDefinition')]"
          ],
          "properties": {
              "scope": "[variables('mgScope')]",
              "policyDefinitionId": "[extensionResourceId(variables('mgScope'), 'Microsoft.Authorization/policyDefinitions', variables('policyDefinition'))]"
          }
      }
  ]
}