Show
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started. All Azure Policy data and objects are encrypted at rest. For more information, see Azure data encryption at rest. OverviewAzure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded, if necessary. For more information, see Scope in Azure Policy. Azure Policy uses a JSON format to form the logic the evaluation uses to determine whether a resource is compliant or not. Definitions include metadata and the policy rule. The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. The policy rule determines which resources in the scope of the assignment get evaluated. Understand evaluation outcomesResources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. The following are the times or events that cause a resource to be evaluated:
For detailed information about when and how policy evaluation happens, see Evaluation triggers. Control the response to an evaluationBusiness rules for handling non-compliant resources vary widely between organizations. Examples of how an organization wants the platform to respond to a non-compliant resource include:
Azure Policy makes each of these business responses possible through the application of effects. Effects are set in the policy rule portion of the policy definition. While these effects primarily affect a resource when the resource is created or updated, Azure Policy also supports dealing with existing non-compliant resources without needing to alter that resource. For more information about making existing resources compliant, see remediating resources. Video overviewThe following overview of Azure Policy is from Build 2018. For slides or video download, visit Govern your Azure environment through Azure Policy on Channel 9. There are a few key differences between Azure Policy and Azure role-based access control (Azure RBAC). Azure Policy evaluates state by examining properties on resources that are represented in Resource Manager and properties of some Resource Providers. Azure Policy doesn't restrict actions (also called operations). Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change. Some Azure Policy resources, such as policy definitions, initiative definitions, and assignments, are visible to all users. This design enables transparency to all users and services for what policy rules are set in their environment. Azure RBAC focuses on managing user actions at different scopes. If control of an action is required, then Azure RBAC is the correct tool to use. Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still blocks the create or update. The combination of Azure RBAC and Azure Policy provides full scope control in Azure. Azure RBAC permissions in Azure PolicyAzure Policy has several permissions, known as operations, in two Resource Providers:
Many built-in roles grant permission to Azure Policy resources. The Resource Policy Contributor role includes most Azure Policy operations. Owner has full rights. Both Contributor and Reader have access to all read Azure Policy operations. Contributor may trigger resource remediation, but can't create or update definitions and assignments. User Access Administrator is necessary to grant the managed identity on deployIfNotExists or modify assignments necessary permissions.
Note All Policy objects, including definitions, initiatives, and assignments, will be readable to all roles over its scope. For example, a Policy assignment scoped to an Azure subscription will be readable by all role holders at the subscription scope and below. If none of the built-in roles have the permissions required, create a custom role. Azure Policy operations can have a significant impact on your Azure environment. Only the minimum set of permissions necessary to perform a task should be assigned and these permissions should not be granted to users who do not need them. Special permissions requirement for Azure Policy with Azure Virtual Network Manager (preview)Azure Virtual Network Manager (preview) enables you to apply consistent management and security policies to multiple Azure virtual networks (VNets) throughout your cloud infrastructure. Azure Virtual Network Manager dynamic groups use Azure Policy definitions to evaluate VNet membership in those groups. To create, edit, or delete Azure Virtual Network Manager dynamic group policies, you need not only appropriate read and write Azure Policy RBAC permissions as described previously, but also permissions to join the network group. Specifically, the required resource provider permission is Microsoft.Network/networkManagers/networkGroups/join/action. Resources covered by Azure PolicyAzure Policy evaluates all Azure resources at or below subscription-level, including Arc enabled resources. For certain resource providers such as Machine configuration, Azure Kubernetes Service, and Azure Key Vault, there's a deeper integration for managing settings and objects. To find out more, see Resource Provider modes. Recommendations for managing policiesHere are a few pointers and tips to keep in mind:
Azure Policy objectsPolicy definitionThe journey of creating and implementing a policy in Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it's enforced. And, it has a defined effect that takes place if the conditions are met. In Azure Policy, we offer several built-in policies that are available by default. For example:
To implement these policy definitions (both built-in and custom definitions), you'll need to assign them. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. Policy evaluation happens with several different actions, such as policy assignment or policy updates. For a complete list, see Policy evaluation triggers. To learn more about the structures of policy definitions, review Policy Definition Structure. Policy parameters help simplify your policy management by reducing the number of policy definitions you must create. You can define parameters when creating a policy definition to make it more generic. Then you can reuse that policy definition for different scenarios. You do so by passing in different values when assigning the policy definition. For example, specifying one set of locations for a subscription. Parameters are defined when creating a policy definition. When a parameter is defined, it's given a name and optionally given a value. For example, you could define a parameter for a policy titled location. Then you can give it different values such as EastUS or WestUS when assigning a policy. For more information about policy parameters, see Definition structure - Parameters. Initiative definitionAn initiative definition is a collection of policy definitions that are tailored toward achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions. They simplify by grouping a set of policies as one single item. For example, you could create an initiative titled Enable Monitoring in Microsoft Defender for Cloud, with a goal to monitor all the available security recommendations in your Microsoft Defender for Cloud instance.
Note The SDK, such as Azure CLI and Azure PowerShell, use properties and parameters named PolicySet to refer to initiatives. Under this initiative, you would have policy definitions such as:
Like policy parameters, initiative parameters help simplify initiative management by reducing redundancy. Initiative parameters are parameters being used by the policy definitions within the initiative. For example, take a scenario where you have an initiative definition - initiativeC, with policy definitions policyA and policyB each expecting a different type of parameter:
In this scenario, when defining the initiative parameters for initiativeC, you have three options:
When creating value options in an initiative definition, you're unable to input a different value during the initiative assignment because it's not part of the list. To learn more about the structures of initiative definitions, review Initiative Definition Structure. AssignmentsAn assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment. For example, at the subscription scope, you can assign a definition that prevents the creation of networking resources. You could exclude a resource group in that subscription that is intended for networking infrastructure. You then grant access to this networking resource group to users that you trust with creating networking resources. In another example, you might want to assign a resource type allowlist definition at the management group level. Then you assign a more permissive policy (allowing more resource types) on a child management group or even directly on subscriptions. However, this example wouldn't work because Azure Policy is an explicit deny system. Instead, you need to exclude the child management group or subscription from the management group-level assignment. Then, assign the more permissive definition on the child management group or subscription level. If any assignment results in a resource getting denied, then the only way to allow the resource is to modify the denying assignment. Policy assignments always use the latest state of their assigned definition or initiative when evaluating resources. If a policy definition that is already assigned is changed all existing assignments of that definition will use the updated logic when evaluating. For more information on setting assignments through the portal, see Create a policy assignment to identify non-compliant resources in your Azure environment. Steps for PowerShell and Azure CLI are also available. For information on the assignment structure, see Assignments Structure. Maximum count of Azure Policy objectsThere's a maximum count for each object type for Azure Policy. For definitions, an entry of Scope means the management group or subscription. For assignments and exemptions, an entry of Scope means the management group, subscription, resource group, or individual resource.
Policy rules have additional limits to the number of conditions and their complexity. See Policy rule limits for more details. Next stepsNow that you have an overview of Azure Policy and some of the key concepts, here are the suggested next steps: |