Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Azure Policy for Governance Enforcement

Microsoft recently made Azure Policy generally available. This post will explain the role of Azure Policy and how you can use it to audit for or enforce governance.



Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Azure Policy

If you have a need to enforce restrictions or to assess for company, industry, or regional compliance, then you can use Azure Policy to deploy policies. Typically this type of solution is used in combination with delegated administration for governance. For example:

  • Large company: A company with a large collection of subscriptions and an even larger set of resource groups has a dispersed set of administrators around the country, continent, or globe. Azure Policy allows the organization to unify policy across the catalog of subscriptions.
  • Developers: Developers are often given administrative rights via role-based access control (RBAC) and they often do things without human supervision. Azure Policy can bring some control back on behalf of the organization.


Control and auditing are obtained using policies, written using JSON, and are created from one of two kinds of definition:

  • Built-in: A set of policies that are supplied automatically by Microsoft
  • Custom: Policies that you can write and store in Azure

Policy definitions in Azure Policy [Image Credit: Aidan Finn]
Policy Definitions in Azure Policy [Image Credit: Aidan Finn]

There are some interesting examples in the selection of built-in policies:

  • Enforce tag and its value: Enforce a tag that might be used for cross-charging consumption of a single Azure subscription.
  • Require SQL Server version 12.0: Prevent deployments of older versions of SQL Server.
  • Not allowed resource types: Restrict access to certain kinds of Azure resources.
  • Allowed virtual machine SKUs: Limit the series and size of virtual machines that delegated administrators can deploy.

You can assign one of these policy definitions by itself but Microsoft recommends that you deploy initiatives instead. You can think of an initiative as being like an Active Directory group policy object (GPO). You can add one or more policy definitions to an initiative and assign the initiative to a required scope or target.

Note that policies can be created to audit or deny. A denial will create something new from being created (and alert you of deployments previous to assignment). An audit policy will just be used for non-compliance reporting.


There are three ways that you can assign a policy or, preferably, an initiative:

  • A resource group
  • A subscription
  • A management group

Management groups are a new preview feature for organizing many subscriptions from a single tenant into a hierarchy with up to 6 layers. This structure can then be used for RBAC and Azure Policy.

When you assign a policy or initiative, it is immediately inherited by all contained resources. For example, if I was to deploy a policy that prevents the creation of network resources (virtual networks, public IP addresses, gateways, and so on) to a subscription, it would affect all resource groups in that subscription.

Assigning an Azure Policy [Image Credit: Aidan Finn]
Assigning an Azure Policy [Image Credit: Aidan Finn]

It is possible to create exclusions for a policy. For example, I could create a resource group called networking and grant network administrators contributor rights to this resource group (and its contents by inheritance). All networking resources would be created in this resource group. The previous example which prevents the creating of networking resources would be assigned at the subscription level but an exception would be created for the networking resource group.


What good are policies if you cannot see how they are working? Compliance lets you view how successful your assigned policies and initiatives have been. It’s up to you to figure out how to deal with non-compliance instances, such as virtual machine sizes that are not allowed but were deployed before a policy was assigned (as below):

A compliance report in Azure Policy [Image Credit: Aidan Finn]
A Compliance Report in Azure Policy [Image Credit: Aidan Finn]

Armed with this information, you can access automatically generated reports to assess your environment, find rogue developers/operators, and offer them remedial guidance to become compliant with organizational or legal requirements.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: