Microsoft Azure Policies

Manage and govern your Azure resources effectively.

MSDN / Documentation / Azure / Services / Management & Governance / Azure Policies

What are Azure Policies?

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. Azure Policy has no bearing on performance or deployment, it is a logical governance tool that helps you enforce standards and assess compliance at scale.

It enables you to implement and enforce standards across your Azure resources, ensuring compliance, security, and cost management.

Key Features and Benefits

Enforce Standards

Define and apply rules for resource creation and configuration to ensure consistency and compliance with organizational requirements.

Compliance Reporting

Assess the compliance state of your Azure resources against defined policies, providing detailed insights and audit trails.

Resource Consistency

Ensure that all resources adhere to specific configurations, such as required tags, allowed locations, or permitted VM sizes.

Security Enhancement

Implement policies to enforce security best practices, like requiring encryption for storage accounts or restricting public network access.

Cost Management

Use policies to control costs by restricting the deployment of expensive resource types or enforcing resource lifecycle management.

Remediation Tasks

Automate the remediation of non-compliant resources, bringing them back into compliance without manual intervention.

How Azure Policies Work

Azure Policy works by evaluating resources against a defined policy. When a resource is created or updated, Azure Policy checks if the resource complies with the assigned policies. If a resource is found to be non-compliant, Policy can take various actions, such as:

  • Deny: Prevent the creation or modification of a non-compliant resource.
  • Audit: Log the non-compliant resource for auditing purposes without preventing the action.
  • Append: Add a field to the resource, such as adding a required tag.
  • Modify: Update fields on the resource to comply with the policy.
  • DeployIfNotExist: Deploy a non-provisioned resource if it doesn't exist.

Policies are grouped into Initiatives (also known as policy sets), which are collections of related policies designed to achieve a specific overarching governance goal.

Getting Started with Azure Policies

Begin your journey with Azure Policies by exploring the built-in policies or creating your own custom policies. Use the Azure portal, Azure CLI, or Azure PowerShell to manage your policies.

# Example: Assigning a built-in policy to enforce specific tags az policy assignment create --name "Require tag on resource group" --display-name "Require Environment tag" --policy "7050f2e6-76c9-48c7-b901-436509323027" --scope "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP" --params '{"tagName": {"value": "Environment"}, "tagValue": {"value": "Production"}}'
Explore Built-in Policies Create Custom Policies