Creating and Assigning Azure Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering Cloud Governance: Creating and Assigning Azure Policies
Introduction: The Foundation of Cloud Control
In the early days of cloud computing, many organizations operated under a "Wild West" mentality. Developers and IT administrators could provision resources at will, leading to what we now call "cloud sprawl"—a situation where costs balloon, security gaps appear, and compliance becomes a nightmare to track. Azure Policy is the primary mechanism within the Microsoft cloud ecosystem designed to bring order to this chaos. It acts as the guardrail for your cloud environment, ensuring that every resource deployed adheres to specific rules, standards, and regulatory requirements.
When we talk about cloud governance, we are essentially talking about defining the "rules of the road." Without these rules, you might find yourself with virtual machines in regions that violate data sovereignty laws, storage accounts that are publicly accessible, or databases that lack the necessary encryption at rest. Azure Policy allows you to define these rules once and enforce them automatically across your entire subscription or management group hierarchy. By mastering the creation and assignment of these policies, you shift your security posture from a reactive "clean-up" model to a proactive "prevention" model.
Understanding Azure Policy is not just a task for security teams; it is a fundamental skill for cloud architects, DevOps engineers, and system administrators. Whether you are aiming to control spending by restricting expensive virtual machine sizes or ensuring that every resource has a "CostCenter" tag for billing reconciliation, Azure Policy provides the programmatic control needed to manage a large-scale enterprise environment effectively.
Understanding the Core Architecture of Azure Policy
To work effectively with Azure Policy, you must first understand the three distinct components that make up the system: the Policy Definition, the Policy Initiative, and the Policy Assignment. Each of these serves a different purpose in the lifecycle of governance.
1. Policy Definition
A policy definition is the "rule" itself. It is a JSON file that describes the condition under which a policy is enforced and the effect that takes place if that condition is met. For example, a policy definition might say: "If a resource is a virtual machine, and the location is not 'East US', then deny the creation of the resource." These definitions can be simple, such as checking for a specific tag, or highly complex, such as evaluating nested properties within an ARM template or a REST API call.
2. Policy Initiative (Policy Set)
A policy initiative is a collection of policy definitions grouped together for a single purpose. Think of it as a logical container. If you are aiming for "ISO 27001 Compliance," you wouldn't assign 50 individual policies to a subscription. Instead, you would create an initiative that contains all the relevant policies for that compliance standard and assign that single initiative. This makes management significantly easier and provides a consolidated view of compliance across your environment.
3. Policy Assignment
The assignment is the act of applying a policy or an initiative to a specific scope. The scope can be a management group, a subscription, a resource group, or even an individual resource. When you create an assignment, you can also define parameters—such as which specific regions are allowed or which tags are mandatory—without needing to modify the underlying policy definition. This allows for highly reusable policies that can be customized for different departments or environments.
Callout: Policy vs. Role-Based Access Control (RBAC) It is easy to confuse Azure Policy with RBAC, but they serve different functions. RBAC controls who can perform actions on resources (e.g., "Can John start this VM?"). Azure Policy controls what can be done to resources (e.g., "Can this VM be created in this region?"). RBAC is about identity and permissions, while Azure Policy is about resource state and configuration.
Writing Your First Azure Policy Definition
Writing a policy definition requires working with JSON. While the Azure Portal provides a visual editor, understanding the structure of the JSON allows you to create more complex and tailored rules. A policy definition has a specific structure consisting of metadata, parameters, and the policy rule itself.
Anatomy of a Policy Rule
The policyRule section is the heart of the definition. It contains an if block (the condition) and a then block (the effect).
- The 'if' block: This uses logical operators like
allOf,anyOf, andnotto evaluate the properties of a resource. You can check for resource types, locations, tags, or specific property values. - The 'then' block: This specifies the action. Common effects include:
Deny: Prevents the resource creation or update.Audit: Logs the violation without blocking the action.Append: Adds missing tags or values to the resource.Modify: Changes the properties of a resource to ensure compliance.DeployIfNotExists: Automatically deploys a template to bring the resource into compliance.
Example: Enforcing Mandatory Tags
Let's look at a simple policy that ensures every resource created has a "Department" tag.
{
"properties": {
"displayName": "Require a tag on resources",
"policyType": "Custom",
"mode": "Indexed",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "The name of the tag that must be present"
}
}
},
"policyRule": {
"if": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
"then": {
"effect": "deny"
}
}
}
}
In this example, the if block checks if the field corresponding to the provided tag name exists. If it does not exist (i.e., the user failed to provide that tag), the deny effect is triggered. This is a classic "hard enforcement" policy that prevents non-compliant resources from ever entering your environment.
Step-by-Step: Creating and Assigning Policies in the Portal
While infrastructure-as-code (IaC) is the industry standard for managing these policies, it is helpful to understand how to create them through the Azure Portal interface to grasp the workflow.
Step 1: Creating a Custom Policy
- Navigate to the Policy service in the Azure Portal.
- Under the Authoring section, select Definitions.
- Click + Policy definition.
- Specify the location (Management Group or Subscription) where the policy will be stored.
- Give your policy a name and a meaningful description.
- Paste your JSON definition into the policy rule editor.
- Save the definition.
Step 2: Assigning the Policy
- In the Policy service, go to Assignments.
- Click Assign policy.
- Select the Scope (the resource group or subscription you want to govern).
- Select the Policy definition you created in the previous step.
- Provide an Assignment name.
- If your policy has parameters, fill them out in the Parameters tab.
- Click Review + create.
Note: When you assign a policy, it may take up to 30 minutes for the policy to take effect across your environment. Azure Policy evaluates resources at creation time and periodically during background scans.
Advanced Policy Effects: Beyond 'Deny'
While Deny is the most common effect, it can be disruptive to existing workloads. If you apply a Deny policy to a production subscription, you might accidentally break automated deployment scripts or ongoing operations. This is where more nuanced effects become valuable.
Audit
The Audit effect is your best friend when rolling out new policies. It allows you to see which resources are non-compliant without actually blocking them. This gives teams time to remediate their resources before you switch the effect to Deny.
DeployIfNotExists (DINE)
This is a powerful effect that can automatically remediate a non-compliant resource. For example, if you have a policy that requires all storage accounts to have "Secure transfer required" enabled, a DeployIfNotExists policy can automatically deploy a template that updates the storage account settings the moment it detects that the setting is disabled.
Modify
The Modify effect is similar to Append, but it is more flexible. It is primarily used to add or update tags on resources. For example, if you have a policy that mandates a "CostCenter" tag, you can use Modify to automatically inject the correct tag value based on the resource group or other metadata, saving users from having to manually tag every single item.
Callout: The Power of Remediation Using
DeployIfNotExistsorModifyeffectively turns your governance framework into a self-healing system. Instead of constantly chasing developers to fix their non-compliant resources, the policy engine handles the heavy lifting, ensuring that the cloud environment stays in the desired state automatically.
Best Practices for Cloud Governance
Managing policy at scale requires a disciplined approach. If you treat policies as a "set it and forget it" task, you will quickly end up with a mess of conflicting rules and "policy debt."
1. Use Management Groups for Hierarchy
Never assign policies directly to individual subscriptions if you can avoid it. Instead, use Management Groups to organize your subscriptions by department, environment (Prod vs. Dev), or business unit. Assign your policies at the highest level of the management group hierarchy to ensure consistent enforcement across your entire organization.
2. Start with 'Audit' Mode
Always start by deploying new policies in Audit mode. Review the compliance data for a few days or weeks to ensure you understand which resources are violating the policy and why. Once you are confident that the policy won't break critical workflows, switch it to Deny or Modify.
3. Version Control Your Policies
Just like your application code, your policy definitions should be stored in a version control system (like GitHub or Azure DevOps). Use CI/CD pipelines to deploy policies to Azure. This ensures that you have an audit trail of who changed a policy, why it was changed, and when the change occurred.
4. Keep Policies Simple
Avoid creating massive, monolithic policies that attempt to check 50 different things at once. It is much easier to manage 50 small, focused policies than one giant policy that is impossible to debug. If a policy gets too complex, break it into smaller components and group them into an Initiative.
5. Monitor Compliance Dashboards
Azure Policy provides a dashboard that shows your overall compliance status. Make it a habit to check this regularly. If you see a dip in compliance, investigate the specific policies that are failing. Often, a spike in non-compliance indicates a misunderstanding of the policy by your engineering teams, which is a signal that you need better documentation or training.
Common Pitfalls and How to Avoid Them
Even experienced architects make mistakes with Azure Policy. Here are some of the most common issues and strategies to avoid them.
- Over-reliance on 'Deny' effects: Applying
Denypolicies too early can paralyze your development teams. UseAuditfirst to gather data and communicate with your stakeholders before enforcing. - Ignoring Policy Parameters: Many admins hard-code values into their policy definitions. This leads to policy duplication. Use parameters to make your policies reusable across different environments.
- Conflicting Policies: You might accidentally assign two policies that contradict each other. For example, one policy might require a tag that another policy forbids. Always test your policy assignments in a sandbox subscription before applying them to production.
- Performance Impact: While rare, extremely complex policy rules can theoretically impact the performance of your resource deployments. Keep your
ifconditions efficient and avoid overly complex logical nesting if possible. - Excluding Resources: Sometimes you need to exempt certain resources (like a legacy system) from a policy. Azure Policy allows for "Exemptions," but use these sparingly. Document why an exemption was granted and set an expiration date for it so it doesn't become a permanent security hole.
Comparison: Policy Effects
| Effect | Action | Best Use Case |
|---|---|---|
| Audit | Logs compliance without blocking | Testing new policies, monitoring status |
| Deny | Blocks resource creation/update | Enforcing strict compliance or security |
| Append | Adds fields/values to resource | Adding mandatory tags or logging configurations |
| Modify | Updates existing resource properties | Auto-remediating settings like encryption |
| DeployIfNotExists | Deploys a template to fix resource | Ensuring dependent resources exist (e.g., Log Analytics) |
Integrating Azure Policy with Microsoft Defender and Sentinel
The true power of Azure Policy emerges when it is integrated with the broader security ecosystem. Microsoft Defender for Cloud uses Azure Policy under the hood to assess your compliance with industry standards like PCI-DSS, SOC2, and CIS Benchmarks.
When you enable a regulatory compliance standard in Defender for Cloud, it automatically assigns a collection of policy initiatives to your environment. These initiatives check for the specific configurations required by that standard. If you change a configuration that violates the standard, Defender for Cloud will flag it immediately.
Furthermore, you can stream your Azure Policy compliance data into Microsoft Sentinel. By creating a workbook or an alert rule in Sentinel, you can be notified via email or a ticket in your ITSM tool (like ServiceNow) the moment a resource falls out of compliance. This creates a closed-loop system where governance, security monitoring, and incident response work together.
Example: Using Sentinel to Alert on Policy Violations
You can configure a data connector to send "Azure Policy compliance events" to a Log Analytics workspace. Once the data is in the workspace, you can run a Kusto Query Language (KQL) query to find non-compliant resources:
AzureActivity
| where OperationNameValue == "Microsoft.Authorization/policyAssignments/write"
| extend ComplianceState = tostring(properties.status)
| where ComplianceState == "NonCompliant"
| project TimeGenerated, ResourceId, PolicyDefinitionName, ComplianceState
This query allows you to build a real-time dashboard in Sentinel, providing your security operations center (SOC) with visibility into the health of your cloud governance.
Troubleshooting: Why is my Policy not working?
When a policy doesn't behave as expected, the first step is to check the Compliance tab within the specific policy assignment. Azure provides a detailed breakdown of why a resource is considered "Non-compliant."
- Check the Evaluation Result: Does the portal say the resource is "Non-compliant" or "Not started"? If it says "Not started," the background scan hasn't run yet. You can trigger a manual scan by using the Azure CLI or PowerShell.
- Verify the Scope: Did you assign the policy to the correct subscription or management group? It is common to assign a policy to a management group, but accidentally leave a child subscription out of the scope.
- Check for Exemptions: Did someone place an exemption on the resource group? Check the Exemptions tab in the Policy service to see if a specific resource has been excluded from the rule.
- Review the JSON: If you wrote a custom policy, ensure your JSON logic is sound. Use the "Test" feature in the policy definition editor to run your JSON against a sample resource to see how it evaluates.
Key Takeaways for Success
Mastering Azure Policy is a journey of continuous improvement. As your cloud environment grows, your governance requirements will shift, and your policy set will need to evolve. Keep these core principles in mind:
- Governance is a Process, Not a Project: Azure Policy is not a one-time configuration. It requires constant tuning, monitoring, and updating to keep pace with your organization's needs.
- Prioritize Automation: Whenever possible, use Infrastructure-as-Code (Terraform, Bicep, or ARM templates) to manage your policy definitions and assignments. This ensures consistency and prevents configuration drift.
- Use the Right Tool for the Job: Use
Auditto learn,Denyto enforce, andDeployIfNotExiststo remediate. Don't useDenywhen a simpleAuditorModifywould suffice. - Communicate with Stakeholders: Governance is often seen as a hurdle by developers. Explain why a policy exists—whether it's for cost control, security, or compliance—to get buy-in from your engineering teams.
- Leverage Built-in Definitions: Microsoft provides hundreds of built-in policy definitions. Before you write a custom one, search the library to see if a built-in policy already exists that meets your needs.
- Monitor and React: Use the integration between Azure Policy, Defender for Cloud, and Sentinel to turn your governance data into actionable security intelligence.
- Plan for Exceptions: Business needs often require exceptions. Build a formal process for granting and tracking policy exemptions so that you don't lose control of your environment.
By following these practices, you can transform Azure Policy from a complex administrative burden into a powerful, automated engine that ensures your cloud environment remains secure, compliant, and cost-effective. Start small, build your foundational policies first, and gradually expand your governance framework as you gain confidence in the system.
FAQ: Frequently Asked Questions
Q: Can I apply policies to resources outside of Azure? A: Yes, through Azure Arc. By installing the Azure Connected Machine agent on servers in on-premises data centers or other clouds (like AWS or GCP), you can bring those resources under the management of Azure Policy.
Q: Do policies affect existing resources?
A: Yes. When you assign a policy, it will evaluate all existing resources in the scope. If a resource is non-compliant, it will be flagged as such in the compliance dashboard. However, Deny policies only block new resource creations or updates to existing resources; they do not delete existing non-compliant resources.
Q: Can I use Azure Policy to stop costs? A: You can use policy to restrict the deployment of expensive resources, such as preventing the creation of high-memory virtual machine SKUs. While it doesn't "stop" costs directly, it is an effective tool for preventing "budget overruns" before they happen.
Q: What happens if I have a conflict between an Azure Policy and an Azure Blueprints (or Deployment Template)? A: Azure Policy is the final authority. If your deployment template tries to create a resource that violates an Azure Policy, the deployment will fail with a "Policy Violation" error. This is exactly how you want it to work—the policy acts as the ultimate guardrail.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons