Introduction to Azure Policy
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Introduction to Azure Policy
In the expansive landscape of cloud computing, maintaining control over an environment is one of the most significant challenges for any organization. As teams deploy resources—such as virtual machines, storage accounts, and databases—at scale, the risk of configuration drift, security vulnerabilities, and uncontrolled spending increases exponentially. This is where Azure Policy becomes essential. Azure Policy is a service that allows you to create, assign, and manage policies that enforce rules for your resources. These policies ensure that your resources stay compliant with your corporate standards and service-level agreements.
By using Azure Policy, you move away from manual oversight and reactive auditing toward a proactive model of automated governance. Imagine an environment where it is physically impossible for a developer to deploy a virtual machine in an unauthorized region or create a storage account that allows public access. Azure Policy makes this a reality by evaluating your resources and comparing their properties against the rules you define. If a resource violates a policy, you can be notified, the resource can be blocked from creation, or the policy can even attempt to fix the issue automatically.
Understanding Azure Policy is not just about learning a tool; it is about adopting a mindset of "Policy as Code." This approach treats your governance rules with the same rigor as your application code, allowing for version control, automated testing, and consistent deployment across multiple subscriptions and management groups. Whether you are a cloud architect, a security professional, or a DevOps engineer, mastering Azure Policy is fundamental to building a stable, secure, and cost-effective cloud footprint.
The Core Architecture of Azure Policy
To work effectively with Azure Policy, you must understand the hierarchy and the components that make the service function. At its heart, Azure Policy operates on a simple "evaluate, report, and act" cycle. It inspects resource properties during creation, updates, or at regular intervals, checks them against a set of logic, and then triggers an action based on the result.
1. Policies and Definitions
A policy definition expresses what to evaluate and what action to take. A definition includes the logic—written in JSON format—that evaluates a resource. For example, a policy might check if a resource has a specific tag. If the tag is missing, the policy definition dictates whether to deny the creation, log the event, or modify the resource.
2. Assignments
A policy definition by itself does nothing. To make it active, you must create a policy assignment. An assignment links a policy definition to a specific scope, such as a management group, a subscription, or a resource group. When you assign a policy, you can also set parameters, which allow you to customize the behavior of the policy without creating a new definition for every slight variation.
3. Initiatives (Policy Sets)
Managing individual policies can quickly become cumbersome as your environment grows. An initiative, or policy set, is a collection of related policy definitions that are grouped together to simplify management. By assigning an initiative, you can apply a comprehensive compliance framework—such as "Ensure all resources have a cost center tag and reside in the US"—in a single action.
Callout: Policy vs. Initiatives Think of a Policy as a single rule, such as "Ensure all disks are encrypted." Think of an Initiative as a "Compliance Bundle," such as "ISO 27001 Standards," which contains dozens of individual policies. Using initiatives allows you to treat a collection of rules as a single unit of management, significantly reducing the administrative overhead of maintaining complex governance frameworks.
How Azure Policy Evaluates Resources
Azure Policy works by intercepting requests to the Azure Resource Manager (ARM). When a user or service attempts to create or update a resource, ARM sends the request to Azure Policy for evaluation. If the policy is set to "Deny," the request is rejected before the resource is ever created.
Beyond the creation phase, Azure Policy also performs periodic scans of existing resources. This is crucial because policies might be updated, or new policies might be assigned to environments that already contain non-compliant resources. The policy engine runs a background process to evaluate these existing resources and updates the compliance state accordingly, which you can then view in the Azure Portal or through CLI/PowerShell.
Compliance States
When a resource is evaluated, it is assigned a compliance state. Understanding these states is vital for troubleshooting and reporting:
- Compliant: The resource adheres to the policy rules.
- Non-Compliant: The resource violates the policy rules.
- Conflict: The resource is subject to multiple policies that contradict one another, or the policy engine cannot determine the state.
- Not Started: The evaluation has not yet occurred for this resource.
Practical Example: Restricting Allowed Locations
One of the most common use cases for Azure Policy is restricting the geographic locations where resources can be deployed. This is often required for data sovereignty, compliance with local laws, or simply to keep resources close to the users they serve.
Step-by-Step: Creating a Location Restriction Policy
- Navigate to the Azure Policy service in the Azure Portal.
- Select Definitions in the left-hand menu.
- Search for the built-in policy named "Allowed locations".
- Click Assign at the top of the screen.
- Under the Basics tab, choose the scope (e.g., your subscription or a specific resource group).
- Under the Parameters tab, select the regions you want to permit (e.g., East US and West US).
- Under the Remediation tab, you can choose to create a managed identity if you were using a policy that supports remediation (though for a "Deny" policy, this is not needed).
- Click Review + Create to apply the policy.
Once this policy is assigned, any attempt to deploy a resource in, for example, "North Europe" will fail with a "Policy Violation" error. This is a powerful way to enforce geographic boundaries without writing any custom code.
Understanding the JSON Structure
Azure Policy definitions are written in JSON. Even if you primarily use the Azure Portal, understanding the structure of these files will make you significantly more effective at debugging and creating custom rules.
A policy definition consists of three main sections:
- Policy Rule: The core logic that defines the "If" (condition) and "Then" (effect).
- Parameters: Variables that allow you to reuse the policy with different inputs.
- Metadata: Descriptive information such as the display name, description, and category.
Below is a simplified example of a policy rule that checks for a specific tag:
{
"if": {
"field": "tags['Environment']",
"exists": "false"
},
"then": {
"effect": "deny"
}
}
In this example, the if block checks if the "Environment" tag exists on the resource. If it does not exist (exists: false), the then block applies the deny effect, preventing the resource from being created.
Tip: Use the Azure Policy Alias When writing your own policies, you must use "aliases" to refer to resource properties. Aliases are the interface between the Azure Resource Manager and the policy engine. You can find available aliases by running the command
Get-AzPolicyAliasin PowerShell oraz provider showin the Azure CLI. Always search for the correct alias before writing a policy, as guessing the property name will lead to failed evaluations.
Advanced Effects: Beyond "Deny"
While "Deny" is the most common effect, Azure Policy supports several other powerful actions that offer more flexibility in how you manage compliance.
1. Audit
The "Audit" effect creates a warning event in the activity log but does not block the resource creation. This is excellent for testing new policies in a production environment before enforcing them. You can monitor the audit logs to see which resources would have been blocked without actually disrupting your users.
2. Append
The "Append" effect adds additional properties to a resource during the creation request. For example, you could use an append policy to automatically add a "Department" tag to any new resource if the user forgot to include it. This is a non-destructive way to ensure metadata consistency.
3. Modify
The "Modify" effect is more robust than "Append." It allows you to add, update, or remove tags and other properties on existing resources. Unlike "Append," which only works during the creation request, "Modify" can be triggered on existing resources via a remediation task.
4. DeployIfNotExists (DINE)
This is perhaps the most powerful effect. It checks if a related resource exists; if it does not, the policy triggers a deployment to create that resource. A common use case is ensuring that every storage account has a "Diagnostic Setting" configured. If a storage account is created without it, the policy will automatically deploy the diagnostic setting to ensure logs are being captured.
Warning: The DINE Performance Impact While
DeployIfNotExistsis incredibly useful, it relies on an Azure Resource Manager deployment to create the secondary resource. This can take time and requires the policy to have a managed identity with appropriate permissions. Ensure that you have tested your DINE policies thoroughly in a sandbox, as they can sometimes lead to circular dependencies or unexpected deployment failures if not configured with the correct permissions.
Best Practices for Azure Policy
Governance is an iterative process. To avoid the common pitfalls that lead to broken deployments or administrative headaches, follow these industry-standard best practices.
1. Use Built-in Policies First
Microsoft provides hundreds of built-in policies covering common scenarios like security, tagging, and region locking. Before you spend time writing a custom JSON definition, search the library. Built-in policies are maintained by Microsoft and are less likely to contain errors or performance bottlenecks.
2. The "Audit-First" Approach
Never assign a "Deny" policy directly to a production environment. Always start by assigning the policy with the "Audit" effect. Monitor the results for a period (e.g., one week) to see which existing resources are non-compliant. Reach out to the resource owners, help them fix the issues, and only when the compliance dashboard shows a clean slate should you change the effect to "Deny."
3. Leverage Management Groups
Apply policies at the highest level possible in your hierarchy. If you have a corporate standard that applies to every subscription, assign the policy to the "Root Management Group." This ensures that any new subscription created under that root automatically inherits the governance rules, preventing "compliance gaps" for new projects.
4. Implement Policy as Code (CI/CD)
Do not manually create policies in the portal for long-term production use. Instead, store your policy definitions and assignments in a Git repository. Use an Azure DevOps pipeline or GitHub Actions to deploy these policies. This provides a clear audit trail of who changed a policy, why it was changed, and allows you to roll back changes if a policy causes unintended side effects.
5. Monitor Compliance Regularly
Azure Policy is not a "set and forget" tool. Regularly review the compliance dashboard. If you see a large number of non-compliant resources, investigate the root cause. It might indicate that your team needs better training on the requirements, or perhaps the policy itself is too restrictive and needs adjustment.
Comparison: Azure Policy vs. Azure Blueprints
A common point of confusion is the difference between Azure Policy and Azure Blueprints. While they work together, they serve different purposes.
| Feature | Azure Policy | Azure Blueprints |
|---|---|---|
| Primary Goal | Enforce rules and compliance. | Deploy infrastructure and policy sets together. |
| Lifecycle | Ongoing monitoring and enforcement. | One-time deployment of an environment. |
| Scope | Can be applied to existing resources. | Primarily for new resource group/subscription setup. |
| Capabilities | Deny, Audit, Append, Modify, DINE. | Role assignments, ARM templates, Policy assignments. |
Note: As of recent updates, Microsoft has been shifting focus toward "Deployment Stacks" and more integrated Infrastructure as Code (IaC) solutions. While Blueprints are still available, many architects are moving toward using ARM templates or Bicep files combined with Azure Policy for environment standardization.
Common Pitfalls and How to Avoid Them
Even with the best intentions, it is easy to stumble when implementing governance. Here are the most common mistakes I see in professional environments:
The "Too Many Deny" Syndrome
Applying too many "Deny" policies can lead to a "locked-down" environment where developers become frustrated and unable to work. This often leads to "shadow IT," where teams find workarounds to avoid your policies. Always balance security with developer productivity. If a policy is preventing work, consider if an "Audit" or "Modify" effect would be more appropriate.
Forgetting Managed Identities for DINE
If you use DeployIfNotExists or Modify effects, the policy needs permission to perform actions on your behalf. You must assign a Managed Identity to the policy assignment and grant that identity the necessary RBAC roles (like Contributor) on the target scope. Forgetting this step is the #1 reason why remediation tasks fail.
Ignoring Policy Inheritance
Policies applied at a Management Group level are inherited by all child subscriptions. If you have a specific project that needs an exception, you must explicitly create a policy exemption. Failing to understand the inheritance model can lead to policies being applied to environments that were never intended to be governed by those rules.
Lack of Documentation
A policy that is not documented is a mystery to the next person who inherits the environment. If you create a custom policy, ensure you include a descriptive displayName and description within the JSON metadata. Ideally, link to an internal wiki page that explains the business logic behind the policy.
Step-by-Step: Testing a Policy with the Policy Evaluation Tool
Before moving a policy to production, you should verify how it behaves. Azure provides a way to test policy evaluation without actually assigning it.
- Create a Sandbox Resource Group: Use a non-production subscription for testing.
- Use the "What-If" Capability: When deploying an ARM template or Bicep file that includes a policy assignment, use the "What-If" feature in the CLI. This will show you what the policy would do if it were active.
- Check the Compliance Details: After creating a resource that you suspect might violate a policy, navigate to the Compliance tab in the Azure Portal. Click on the specific policy, and you will see a detailed view of why a resource is or is not compliant.
- Iterate: If the result is not what you expected, modify your policy definition, redeploy, and check the status again. This loop is the fastest way to master the policy language.
Key Takeaways
- Governance is Proactive: Azure Policy is your primary tool for shifting from manual, reactive security checks to automated, proactive governance. By defining rules as code, you ensure consistency across your entire cloud footprint.
- Hierarchy Matters: Always apply policies at the highest level (Management Groups) to ensure broad coverage, but use exemptions or specific scopes when unique business needs arise.
- The "Audit-First" Rule: Never jump straight to "Deny" effects. Always start in "Audit" mode to understand the impact on existing resources and avoid breaking production workflows.
- Leverage Built-ins: Avoid "reinventing the wheel." Microsoft’s library of built-in policies is extensive and covers most standard compliance requirements (e.g., NIST, PCI-DSS).
- Policy as Code: Treat your policies like application code. Store them in version control, use CI/CD pipelines for deployment, and document the business reasoning behind your custom rules.
- Understand the Effects: Choose the right tool for the job. Use "Audit" for visibility, "Deny" for enforcement, and "Modify/DINE" for automated remediation of common configuration issues.
- Managed Identities are Essential: When using advanced effects like
DeployIfNotExists, remember that the policy itself needs explicit permissions to interact with your resources.
By following these principles, you will be well on your way to mastering Azure Policy. This service is not just about placing restrictions; it is about creating an environment where your teams can move fast and innovate, confident that they are operating within the guardrails you have established. Governance, when done well, is an enabler of speed, not a blocker.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons