Microsoft recently made Azure Policy generally available. This post will explain the role of Azure Policy and how you can use it to audit for or enforce governance.
If you have a need to enforce restrictions or to assess for company, industry, or regional compliance, then you can use Azure Policy to deploy policies. Typically this type of solution is used in combination with delegated administration for governance. For example:
Control and auditing are obtained using policies, written using JSON, and are created from one of two kinds of definition:
There are some interesting examples in the selection of built-in policies:
You can assign one of these policy definitions by itself but Microsoft recommends that you deploy initiatives instead. You can think of an initiative as being like an Active Directory group policy object (GPO). You can add one or more policy definitions to an initiative and assign the initiative to a required scope or target.
Note that policies can be created to audit or deny. A denial will create something new from being created (and alert you of deployments previous to assignment). An audit policy will just be used for non-compliance reporting.
There are three ways that you can assign a policy or, preferably, an initiative:
Management groups are a new preview feature for organizing many subscriptions from a single tenant into a hierarchy with up to 6 layers. This structure can then be used for RBAC and Azure Policy.
When you assign a policy or initiative, it is immediately inherited by all contained resources. For example, if I was to deploy a policy that prevents the creation of network resources (virtual networks, public IP addresses, gateways, and so on) to a subscription, it would affect all resource groups in that subscription.
It is possible to create exclusions for a policy. For example, I could create a resource group called networking and grant network administrators contributor rights to this resource group (and its contents by inheritance). All networking resources would be created in this resource group. The previous example which prevents the creating of networking resources would be assigned at the subscription level but an exception would be created for the networking resource group.
What good are policies if you cannot see how they are working? Compliance lets you view how successful your assigned policies and initiatives have been. It’s up to you to figure out how to deal with non-compliance instances, such as virtual machine sizes that are not allowed but were deployed before a policy was assigned (as below):
Armed with this information, you can access automatically generated reports to assess your environment, find rogue developers/operators, and offer them remedial guidance to become compliant with organizational or legal requirements.