Azure Policy Documentation - Azure Management and Governance

What is Azure Policy?

Azure Policy helps you enforce organizational standards and assess compliance at scale. It allows you to ensure that Azure resources you deploy conform to your company's requirements. Azure Policy is a service that helps you implement and adhere to your organization's governance standards for Azure resources.

With Azure Policy, you can:

Enforce rules: Define rules that resources must follow.
Audit compliance: Assess the compliance state of your resources against these rules.
Remediate non-compliance: Automatically correct non-compliant resources.
Govern deployments: Control resource deployments and configurations.

Key Concepts

Understanding the core components of Azure Policy is crucial for effective governance:

Policy Definition: A rule or set of rules that defines what constitutes a compliant or non-compliant resource.
Policy Assignment: The act of applying a policy definition to a specific scope (e.g., subscription, resource group).
Policy Initiative (Set): A collection of related policy definitions grouped together to achieve a broader governance objective.
Effect: The action to take when a policy rule is matched (e.g., Deny, Audit, Append, Modify, DeployIfNotExists).
Resource Provider: The service responsible for managing Azure resources (e.g., Microsoft.Compute, Microsoft.Storage).

How Azure Policy Works

Azure Policy evaluates resources by comparing resource properties to the conditions defined in a policy rule. When a resource is created or updated, or when a policy assignment is made, Azure Policy evaluates the resource. If a resource violates a policy rule, the configured effect is enforced.

Common Effects:

Deny: Prevents a resource from being created or updated if it doesn't comply with the policy.
Audit: Logs a warning event when a resource doesn't comply with the policy, but allows the resource to be created or updated.
Append: Adds new fields to a resource during creation or update, but doesn't prevent the operation.
Modify: Updates fields in a resource during creation or update.
DeployIfNotExists: Ensures that a related resource exists and is configured correctly, deploying it if necessary.
AuditIfNotExists: Audits for the existence of related resources and logs a warning if they don't exist.

Example Policy Definition (JSON):

This example policy audits virtual machines that do not have the "monitoring" tag assigned.


{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "tags.monitoring",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {}
}

Getting Started with Azure Policy

You can manage Azure Policy through the Azure portal, Azure CLI, Azure PowerShell, or REST API.

Using the Azure Portal:

Navigate to the Azure portal and search for "Policy".
Under "Authoring", select "Definitions" to view built-in policies or create custom ones.
Under "Authoring", select "Assignments" to apply policies to subscriptions or resource groups.
Under "Compliance", review your compliance dashboard.

Key Scenarios:

Resource Consistency: Enforce the use of specific VM sizes, locations, or allowed resource types.
Security Compliance: Ensure that network security groups are configured appropriately or that encryption is enabled.
Cost Management: Prevent the deployment of expensive resources in non-production environments.
Tagging: Mandate specific tags for resource organization and cost allocation.

Azure Policy