Open in app

Sign in

Write

Sign in

Azure Policy & Governance

Muhammad Imran
3 min readJun 20, 2023

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

Specifically, some useful governance actions you can enforce with Azure Policy include:

  • Ensuring your team deploys Azure resources only to allowed regions
  • Enforcing the consistent application of taxonomic tags
  • Requiring resources to send diagnostic logs to a Log Analytics workspace

Azure Policy objects

Policy definition

The journey of creating and implementing a policy in Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met.

In Azure Policy, there are several built-in policies that are available by default. For example:

  • Allowed Storage Account SKUs (Deny): Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don’t adhere to the set of defined SKU sizes.
  • Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren’t part of this defined list.
  • Allowed Locations (Deny): Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements.
  • Allowed Virtual Machine SKUs (Deny): Specifies a set of virtual machine SKUs that you can deploy.
  • Add a tag to resources (Modify): Applies a required tag and its default value if it’s not specified by the deploy request.
  • Not allowed resource types (Deny): Prevents a list of resource types from being deployed.

To implement these policy definitions (both built-in and custom definitions), you need to assign them. You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.

Initiative definition

An initiative definition is a collection of policy definitions that are tailored toward achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions. They simplify by grouping a set of policies as one single item.

Assignments

An assignment is a policy definition or initiative that has been assigned to a specific scope. This scope could range from a management group to an individual resource. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources. This design means that a definition applied to a resource group is also applied to resources in that resource group. However, you can exclude a subscope from the assignment.

Trigger Condition and Evaluation Workflow of Azure Policy

The Azure policy will check the request payload and compare it with the policy definition and then decide the next action. The following part will explain how the policy evaluates resources by the simplified workflow sample.

Azure
Policy
Governance
Compliance
Microsoft

--

--

Muhammad Imran

Written by Muhammad Imran

92 Followers

Azure Solution Architect Expert | Microsoft Certified Trainer | AWS Community Builder | Author

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams