Azure Policy
Define and enforce organizational standards and assess compliance at scale.
Overview
Azure Policy helps you enforce organizational standards and assess compliance at scale. It is a service that enables you to govern the behavior of Azure resources by enforcing rules and effects. Azure Policy is a key component to establishing governance in your Azure environment, helping you to manage compliance, security, and cost.
With Azure Policy, you can:
- Enforce standards: Ensure resources are deployed with specific configurations, such as required tags, regions, or SKUs.
- Manage compliance: Audit resources for compliance with industry regulations or internal standards.
- Control costs: Prevent the deployment of expensive resource types or enforce tagging for cost allocation.
- Enhance security: Ensure that only approved network configurations or encryption settings are used.
Key Concepts
Policies
A policy is a rule that applies to a set of resources. Policies are built from policy definitions. Each policy assignment consists of:
- Policy definition: The rule itself.
- Parameters: To define variable values for the rule.
- Scope: The resource group, subscription, or management group to which the policy applies.
Initiatives (Policy Sets)
An initiative is a collection of related policies. Initiatives are used to group policies that have a common goal, such as achieving compliance with a specific regulation. By assigning an initiative, you assign all the policies within it.
Policy Definitions
Policy definitions are JSON files that define the rule and the effect to take when the rule is evaluated. They specify:
- Effect: What to do when the rule is matched (e.g.,
Deny,Audit,DeployIfNotExists,Append,Modify,AuditIfNotExists). - Rule: The conditions under which the effect is triggered, often involving resource properties.
Here's an example of a simple policy definition to deny resources that are not deployed in a specific region:
{
"mode": "All",
"policyRule": {
"if": {
"not": {
"field": "location",
"in": [ "eastus", "westus" ]
}
},
"then": {
"effect": "Deny"
}
}
}
Assignments
A policy assignment applies a policy definition or an initiative to a specific scope. This is where you configure the parameters and the target resources.
Compliance
Azure Policy evaluates resources against assigned policies and reports their compliance state. You can view compliance status in the Azure portal or via APIs.
Getting Started
You can manage Azure Policy through the Azure portal, Azure CLI, Azure PowerShell, or REST API.
Using the Azure Portal
- Navigate to the Azure Policy service.
- Under Authoring, select Definitions to view built-in or create custom policy definitions.
- Select Initiatives to group definitions or create custom initiatives.
- Select Assignments to apply policies or initiatives to your subscriptions, resource groups, or management groups.
- Go to Compliance to view the compliance status of your resources.
Using Azure CLI
To list available policy definitions:
az policy definition list --output tableTo create a policy assignment:
az policy assignment create --name "MyPolicyAssignment" --display-name "Require approved locations" --policy "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionId}" --scope "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"Note: Replace placeholders like {subscriptionId}, {policyDefinitionId}, and {resourceGroupName} with your actual values.
Use Cases
- Resource Consistency: Ensure all virtual machines are deployed with managed disks.
- Tagging Governance: Enforce the presence and values of specific tags (e.g.,
Environment,CostCenter). - Network Security: Prevent the creation of public IP addresses for resources in certain network segments.
- Cost Management: Restrict the deployment of high-cost SKUs or enforce resource lifecycle management.
- Regulatory Compliance: Meet compliance requirements for data residency, encryption, or auditing.
Learn More
For detailed information, explore the following Microsoft Learn resources: