Creating Policy Definitions
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Creating Azure Policy Definitions
Introduction: The Foundation of Cloud Governance
In the modern cloud environment, organizations often struggle with "resource sprawl." As teams provision virtual machines, storage accounts, and databases, it becomes increasingly difficult to ensure that every resource complies with internal security standards, cost management rules, and regulatory requirements. Without automated guardrails, human error inevitably leads to misconfigurations, such as public storage accounts, unencrypted disks, or resources deployed in unauthorized regions. This is where Azure Policy becomes essential.
Azure Policy is a service that allows you to create, assign, and manage policies that enforce rules for your resources. By defining these rules, you ensure that your environment stays consistent and secure, regardless of how many resources your teams create. This lesson focuses on the core of this service: the Policy Definition. A policy definition is a JSON document that describes the conditions under which a policy is enforced and the effect that takes place if those conditions are met. Understanding how to author these definitions is the fundamental skill required for any cloud administrator tasked with maintaining a healthy, compliant Azure environment.
Understanding the Anatomy of a Policy Definition
A policy definition is essentially a set of logic that Azure executes whenever a resource is created or updated. If you want to require that all resources have a specific tag, or that all virtual machines use a specific SKU, you must translate those requirements into the JSON structure that Azure Policy understands.
Every policy definition consists of several mandatory components. By mastering these, you can write custom policies that go far beyond the built-in options provided by Microsoft.
Key Components of a Policy Definition
- Display Name: The descriptive name shown in the Azure Portal.
- Description: A clear explanation of what the policy does and why it exists.
- Mode: Defines which resource types the policy evaluates. Most commonly, this is set to
Indexedfor Resource Manager resources. - Parameters: Allow you to make your policies reusable by accepting input values at the time of assignment.
- Policy Rule: The logical core of the policy, consisting of the
ifblock (the condition) and thethenblock (the effect).
Callout: Policy Definition vs. Policy Assignment It is common to confuse definitions and assignments. Think of a Policy Definition as a function or a template—it describes a rule but doesn't actually do anything on its own. A Policy Assignment is the act of "calling" that function and applying it to a specific scope, such as a Management Group, Subscription, or Resource Group. You create one definition and use it for many assignments.
The Logical Structure: If and Then
The heart of every policy is the policyRule object. This object contains two main sections: if and then. The if section uses logical operators (allOf, anyOf, not) to evaluate resource properties. The then section determines the action to take when the if condition evaluates to true.
The If Block
The if block is where you define the criteria for your rule. You can check for the existence of tags, the value of a property, or whether a resource belongs to a certain type. For example, if you want to target only Virtual Machines, you would include a check for type equals Microsoft.Compute/virtualMachines.
The Then Block
The then block specifies the enforcement action. Common effects include:
- Deny: Prevents the creation or update of a resource that violates the rule.
- Audit: Logs the violation but allows the resource creation to proceed.
- Append: Adds specific fields to the resource request (e.g., adding a default tag).
- Modify: Updates existing resources to match the desired state.
- DeployIfNotExists: Automatically deploys a template to bring the resource into compliance.
Practical Example: Restricting Allowed Locations
One of the most common governance requirements is restricting resource deployment to specific Azure regions. This helps with data sovereignty and keeps latency predictable. Below is a simplified policy definition that restricts resource creation to "East US" and "West US".
{
"properties": {
"displayName": "Allowed Locations",
"description": "This policy restricts the locations where resources can be deployed.",
"mode": "Indexed",
"parameters": {
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed Locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
Explanation of the Code
- Parameters: We define an
allowedLocationsparameter. By using an array, we allow the user to select multiple regions during the assignment process. - The Field: We use the
fieldkeyword to look at thelocationproperty of the resource being evaluated. - The Operator: We use
notcombined withinto check if the resource's location is missing from our provided list. - The Effect: If the location is not in our list, the
denyeffect triggers, and the Azure Resource Manager rejects the deployment.
Tip: Use Built-in Definitions as a Starting Point You do not need to write every policy from scratch. Azure provides hundreds of built-in policy definitions. Before writing a custom policy, browse the "Definitions" tab in the Azure Policy portal. You can often duplicate a built-in policy and modify it to fit your specific needs, which saves time and reduces the risk of syntax errors.
Advanced Logic: Using Parameters and Logical Operators
As your governance strategy grows, you will need policies that are flexible. Hardcoding values into your policies makes them difficult to maintain. Using parameters allows you to reuse the same logic across different departments or environments.
Using AllOf and AnyOf
You can combine multiple conditions using logical operators. The allOf operator acts like a logical "AND"—all conditions must be true for the rule to trigger. The anyOf operator acts like a logical "OR"—if at least one condition is true, the rule triggers.
Consider this example where we want to deny any storage account that is not using HTTPS and is located in a specific region:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": false
}
]
},
"then": {
"effect": "deny"
}
}
This ensures that security-conscious storage configurations are enforced automatically. By using allOf, we ensure that we only target storage accounts that specifically fail the HTTPS requirement.
Step-by-Step: Creating a Custom Policy via Azure Portal
While you can use the Azure CLI or PowerShell to deploy policies, the Azure Portal provides a user-friendly interface for testing and creating initial versions.
- Navigate to Policy: Open the Azure Portal and search for "Policy."
- Create Definition: Click on "Definitions" in the left-hand menu, then click the "+ Policy definition" button.
- Define Scope: Choose the "Definition location." This is the Management Group or Subscription where the policy will be saved.
- Fill Basics: Give your policy a name and a category (e.g., "Storage" or "Compute").
- Write JSON: Paste your policy definition into the JSON editor. The portal will validate the syntax as you type, highlighting any errors in red.
- Add Parameters: If you have defined parameters, the portal will automatically generate a form for these fields.
- Save: Click "Save" to commit the definition to your environment.
Best Practices for Policy Definition
Creating policies is easy; maintaining them in a large environment is hard. Follow these industry-standard practices to ensure your policies remain effective and manageable.
1. Use Meaningful Naming Conventions
Always use a consistent naming convention for your policy definitions. For example: [ORG]-[DEPARTMENT]-[RESOURCE]-[ACTION]. An example might be CONTOSO-HR-STORAGE-DENY-PUBLIC-ACCESS. This makes it much easier to filter and manage policies when you have hundreds of them.
2. Start with 'Audit' Before 'Deny'
Never move straight to a Deny effect for a new policy in a production environment. If you do, you might accidentally break existing workflows or block legitimate business activities. Instead, start with the Audit effect. Monitor the policy for a few weeks, review the compliance reports, and only switch to Deny once you are confident the policy will not cause unintended outages.
3. Keep Policies Simple
It is tempting to create "mega-policies" that check for ten different things at once. Avoid this. Smaller, modular policies are easier to debug, easier to assign, and easier to disable if something goes wrong. If you need to check for tags, storage security, and networking, create three separate policy definitions.
4. Leverage Policy Sets (Initiatives)
If you find yourself assigning 20 different policies to every subscription, group them into a "Policy Set" (also known as an Initiative). This allows you to manage the entire group as a single assignment, simplifying the lifecycle management of your governance rules.
Warning: The 'Modify' Effect Caveat The
Modifyeffect is powerful because it can actually change a resource to make it compliant. However, be extremely careful. If a policy modifies a resource that is already being managed by an automated pipeline or another configuration tool, you might create a conflict where the two systems fight over the resource state, leading to unpredictable behavior. Always testModifyeffects in a sandbox before deploying them widely.
Common Pitfalls and Troubleshooting
Even experienced administrators encounter issues when authoring policies. Here are the most frequent mistakes and how to avoid them.
Incorrect Resource Type Targeting
One of the most common errors is targeting the wrong resource type. If your policy rule isn't triggering, check the type field in your if block. You can use the "Resource Explorer" tool in the Azure Portal to inspect the exact JSON structure of a resource to ensure your policy paths match the actual property names.
Case Sensitivity and Data Types
Azure Policy is generally case-insensitive regarding field names, but the values you compare against can be sensitive. Always ensure your parameter types match the expected data type of the resource property. If you expect an array, define it as an array in your parameters. If you compare a string to an integer, the policy will fail to evaluate correctly.
The "Scope" Confusion
If you create a policy definition in a Management Group, it is available to all subscriptions underneath it. However, if you create it in a specific subscription, it is not available to others. Always save your common, organization-wide policies at the highest possible level (the Root Management Group) to ensure they are available everywhere.
Troubleshooting Workflow
When a policy doesn't seem to work, follow this checklist:
- Check for Assignment: Is the policy actually assigned to the resource's scope?
- Verify Evaluation: Look at the "Compliance" tab in the Policy portal. It will show you why a resource is considered "Non-compliant."
- Check the JSON: Use the built-in validator in the Azure Portal to ensure there are no syntax errors.
- Review the Audit Logs: If the policy is
Deny, the activity log of the failed deployment will explicitly state which policy blocked the request.
Comparison: Effect Types
| Effect | Action | Best For |
|---|---|---|
| Audit | Logs violation only | Initial testing, monitoring compliance |
| Deny | Blocks the action | Security, cost control, preventing errors |
| Append | Adds fields to request | Adding required tags or headers |
| Modify | Updates resource properties | Remediating non-compliant configurations |
| DeployIfNotExists | Deploys a template | Ensuring dependent resources exist (e.g., Log Analytics) |
The Role of Policy in Compliance Frameworks
Organizations in regulated industries (such as Finance or Healthcare) must adhere to standards like ISO 27001, SOC2, or HIPAA. Azure Policy is the primary mechanism for proving compliance in these environments. By using the built-in "Regulatory Compliance" dashboards, you can see how your custom and built-in policies map directly to the controls required by these standards.
When you create a policy definition, consider how it contributes to your broader compliance posture. For instance, a policy that requires encryption at rest is not just a "good practice"; it is often a mandatory control for PCI-DSS compliance. By tagging your policies with metadata that references these frameworks, you make it easier for auditors to see that you have technical controls in place to support your policies.
Example: Enforcing Tags for Cost Tracking
In a large organization, cost management is often a nightmare because resources are not tagged correctly. You can use a policy to ensure that every resource has a CostCenter tag.
{
"properties": {
"displayName": "Require CostCenter Tag",
"policyRule": {
"if": {
"field": "tags['CostCenter']",
"exists": false
},
"then": {
"effect": "deny"
}
}
}
}
This simple policy forces developers to provide a CostCenter tag whenever they create a resource. If they omit it, the deployment fails. This is significantly more effective than sending monthly emails asking teams to tag their resources.
Best Practices for Lifecycle Management
Governance is not a "set it and forget it" task. As Azure adds new features and services, your policies may need to be updated.
- Version Control: Store your policy definitions in a Git repository. Treat them like code. Use a CI/CD pipeline to deploy policy changes to your environment. This creates an audit trail of who changed which policy and why.
- Regular Reviews: Conduct a quarterly review of your active policies. Are some policies no longer relevant? Do you have policies that are constantly causing "Deny" events for legitimate work? Adjust them accordingly.
- Communication: When you implement a new
Denypolicy, communicate this to your engineering teams well in advance. Explain the "why" behind the policy so they understand the security or cost benefits rather than just feeling restricted. - Documentation: Maintain a central document that lists your active policies and their intent. This helps new team members understand the "rules of the road" for your cloud environment.
Advanced: Using DeployIfNotExists for Automated Remediation
The DeployIfNotExists effect is perhaps the most advanced and helpful tool in the Azure Policy arsenal. It allows you to automatically fix a non-compliant resource by deploying a secondary resource or configuration.
For example, if you want to ensure that every storage account has a specific diagnostic setting enabled for logging, you can write a policy that checks if the diagnostic setting exists. If it does not, the DeployIfNotExists effect triggers a Template Deployment that creates the diagnostic setting for you.
This moves your governance from "policing" to "self-healing." Instead of just telling developers they are wrong, you are providing them with a compliant environment by default. This reduces friction and allows your infrastructure to stay secure without constant manual intervention.
Summary: Key Takeaways for Azure Policy
Creating policy definitions is a foundational skill for maintaining a secure and efficient Azure environment. By following the principles outlined in this lesson, you can build a robust governance framework that scales with your organization.
- Definitions are Templates: Always think of your policy definition as a reusable rule. Focus on making them generic enough to be applied to different scopes by using parameters.
- Use the Right Effect: Use
Auditfor testing and visibility, andDenyfor strict enforcement. UseModifyorDeployIfNotExistsfor automated remediation to reduce operational overhead. - Validate via JSON: Get comfortable with the JSON structure. Understanding how
ifandthenblocks work allows you to write custom policies that address your unique organizational requirements. - Prioritize Simplicity: Break complex governance requirements into small, modular policies. This makes your environment easier to troubleshoot and maintain.
- Treat Policy as Code: Store your policy definitions in version control and use deployment pipelines. This ensures consistency and provides a clear history of your governance strategy.
- Test Before Enforcing: Always start with an
Auditeffect in a non-production subscription before moving toDeny. This prevents accidental impact on business-critical workloads. - Leverage Built-ins: Don't reinvent the wheel. Microsoft provides a vast library of built-in policies that cover the majority of common compliance requirements. Customize these when necessary rather than writing from scratch.
By mastering these concepts, you transition from simply "using" the cloud to "governing" the cloud. Azure Policy is the bridge between your security requirements and the reality of your infrastructure. As you continue your journey in Azure administration, keep these practices at the forefront of your work, and you will find that managing cloud governance becomes a proactive, rather than reactive, process.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons