Azure Policy Assignment

Policy assignments bind a policy definition to a specific scope (subscription, resource group, or resource). Once assigned, Azure evaluates resources under that scope and enforces compliance.

Key Concepts

Term	Description
Scope	The level at which the policy is evaluated – subscription, resource group or resource.
Parameters	Values you can customize per assignment (e.g., allowed locations).
Non‑Compliance Message	Custom text shown when a resource violates the policy.
Identity	Managed identity used for remediation tasks.

JSON Example

{
  "properties": {
    "displayName": "Require tags on resource groups",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/RequireTag",
    "scope": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyRG",
    "parameters": {
      "tagName": {
        "value": "environment"
      },
      "tagValue": {
        "value": "production"
      }
    },
    "description": "Ensures every resource group has the environment tag set to production.",
    "enforcementMode": "Default"
  }
}

Azure PowerShell

# Connect to Azure
Connect-AzAccount

# Assign the policy
New-AzPolicyAssignment `
    -Name "RequireEnvTagRG" `
    -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyRG" `
    -PolicyDefinition "/providers/Microsoft.Authorization/policyDefinitions/RequireTag" `
    -TagName "environment" `
    -TagValue "production"

Azure CLI

az login

az policy assignment create \
  --name "RequireEnvTagRG" \
  --scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyRG" \
  --policy "/providers/Microsoft.Authorization/policyDefinitions/RequireTag" \
  --params '{\"tagName\":{\"value\":\"environment\"},\"tagValue\":{\"value\":\"production\"}}'

REST API

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments/{assignmentName}?api-version=2022-06-01

{
  "properties": {
    "displayName": "Require tags on resource groups",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/RequireTag",
    "parameters": {
      "tagName": {"value": "environment"},
      "tagValue": {"value": "production"}
    },
    "description": "Ensures each resource group contains the required tag."
  }
}

Common Scenarios

Enforce tag policies across all subscriptions.
Require specific VM sizes in a resource group.
Block creation of public IPs in certain regions.
Automatically remediate non‑compliant resources using Azure Functions.

Azure Policy Assignment

Key Concepts

JSON Example

Azure PowerShell

Azure CLI

REST API

Common Scenarios

Related Documentation