Azure Policy
Azure Policy is a governance service that enforces organisational standards and assesses compliance at scale. Policies are evaluated against Azure resources to ensure they meet defined rules; non-compliant resources can be flagged, blocked, or automatically remediated.
Key Concepts
- Policy Definition — A rule that describes what conditions to evaluate and what effect to apply (e.g. deny, audit, append)
- Initiative (Policy Set) — A collection of policy definitions grouped together to achieve a broader compliance goal
- Assignment — Attaches a definition or initiative to a scope (management group, subscription, or resource group)
- Compliance — The evaluated state of resources against assigned policies; reported as compliant or non-compliant
Effects
| Effect | Behaviour |
|---|---|
Deny | Blocks the request if the resource would be non-compliant |
Audit | Allows the request but flags the resource as non-compliant |
AuditIfNotExists | Audits if a related resource doesn’t exist |
DeployIfNotExists | Automatically deploys a related resource if it’s missing |
Append | Adds fields to the resource on creation or update |
Modify | Adds, updates, or removes properties on a resource |
Disabled | Turns the policy off without removing the assignment |
Common Use Cases
- Enforce naming conventions — Require resource groups and resources to follow a naming standard
- Restrict locations — Allow deployments only to approved Azure regions
- Require tags — Enforce mandatory tags (e.g.
environment,owner) on all resources - Enforce SKUs — Limit VM or storage SKUs to approved types
- Enable diagnostics — Automatically deploy diagnostic settings via
DeployIfNotExists - Enforce resource locks — Ensure critical resource groups always have a lock applied
Usage
PowerShell
# Assign a built-in policy to a resource group
$policy = Get-AzPolicyDefinition -Name "policy-name"
New-AzPolicyAssignment -Name "restrict-locations" -PolicyDefinition $policy -Scope "/subscriptions/<sub-id>/resourceGroups/rg-myapp-prod-uks-01" -PolicyParameterObject @{ listOfAllowedLocations = @{ value = @("uksouth", "ukwest") } }
# List non-compliant resources
Get-AzPolicyState -Filter "ComplianceState eq 'NonCompliant'" | Select-Object ResourceId, PolicyDefinitionNameBest Practices
- Start with
Auditeffect before switching toDenyto understand the blast radius - Use initiatives to group related policies and simplify assignments
- Assign policies at the management group level for consistent governance across subscriptions
- Use exclusions on assignments to exempt specific resources where necessary
- Regularly review the compliance dashboard to identify and remediate drift
- Prefer built-in policy definitions where possible; only create custom definitions when built-ins don’t cover the requirement
Last updated on