Azure Policy - Best Practices

Introduction

Azure Policy helps you enforce organizational standards and assess compliance at scale. This guide provides proven best‑practice patterns for building, deploying, and maintaining policies across your Azure environment.

Design Principles

• Start with a baseline: Define a minimal set of policies that address regulatory and security requirements.
• Use initiative definitions: Group related policies into initiatives for easier management.
• Leverage built‑in policies: Prefer built‑in policies when they meet your needs; they receive automatic updates.
• Scope strategically: Apply policies at the appropriate management group, subscription, or resource group level.
• Prefer deny over audit: Use deny effect when non‑compliant resources must be blocked.

{
  "Effect": "Deny",
  "If": {
    "field": "type",
    "equals": "Microsoft.Storage/storageAccounts"
  },
  "Then": {
    "effect": "[parameters('effect')]"
  }
}

Deployment Strategies

Automate policy deployment using Azure CLI, PowerShell, or ARM templates.

Azure CLI Example

az policy definition create \
  --name "allowed-locations" \
  --display-name "Allowed Locations" \
  --description "Restricts resource locations to approved list." \
  --rules '{
    "if": {
      "field": "location",
      "notIn": "[parameters('allowedLocations')]"
    },
    "then": {
      "effect": "deny"
    }
  }' \
  --params '{
    "allowedLocations": {
      "type": "Array",
      "metadata": {
        "description": "The list of allowed Azure locations.",
        "displayName": "Allowed locations"
      }
    }
  }' \
  --mode All

ARM Template Snippet

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Authorization/policyDefinitions",
      "apiVersion": "2021-06-01",
      "name": "allowed-locations",
      "properties": {
        "displayName": "Allowed Locations",
        "policyType": "Custom",
        "mode": "All",
        "description": "Restricts resource locations to approved list.",
        "parameters": {
          "allowedLocations": {
            "type": "Array",
            "metadata": {
              "description": "The list of allowed Azure locations.",
              "displayName": "Allowed locations"
            }
          }
        },
        "policyRule": {
          "if": {
            "field": "location",
            "notIn": "[parameters('allowedLocations')]"
          },
          "then": {
            "effect": "deny"
          }
        }
      }
    }
  ]
}

Monitoring & Remediation

Integrate Azure Policy with Azure Monitor, Azure Sentinel, and Azure Automation for continuous compliance.

• Enable policy compliance scans on a daily schedule.
• Use remediation tasks to automatically fix non‑compliant resources where possible.
• Pipe compliance data to Log Analytics workspace for custom dashboards.

Sample Log Analytics Query

PolicyResources
| where ComplianceState == "NonCompliant"
| summarize Count = count() by PolicyDefinitionName, SubscriptionId
| order by Count desc

Sample Policies

Below are common policy scenarios with ready‑to‑use definitions.

Additional Resources

• Azure Policy Overview
• Policy Effects
• Get Compliance Data
• Policy Samples Gallery