
close
close
Microsoft recently made Azure Policy generally available. This post will explain the role of Azure Policy and how you can use it to audit for or enforce governance.
If you have a need to enforce restrictions or to assess for company, industry, or regional compliance, then you can use Azure Policy to deploy policies. Typically this type of solution is used in combination with delegated administration for governance. For example:
advertisment
Control and auditing are obtained using policies, written using JSON, and are created from one of two kinds of definition:
Policy Definitions in Azure Policy [Image Credit: Aidan Finn]
You can assign one of these policy definitions by itself but Microsoft recommends that you deploy initiatives instead. You can think of an initiative as being like an Active Directory group policy object (GPO). You can add one or more policy definitions to an initiative and assign the initiative to a required scope or target.
Note that policies can be created to audit or deny. A denial will create something new from being created (and alert you of deployments previous to assignment). An audit policy will just be used for non-compliance reporting.
There are three ways that you can assign a policy or, preferably, an initiative:
advertisment
Management groups are a new preview feature for organizing many subscriptions from a single tenant into a hierarchy with up to 6 layers. This structure can then be used for RBAC and Azure Policy.
When you assign a policy or initiative, it is immediately inherited by all contained resources. For example, if I was to deploy a policy that prevents the creation of network resources (virtual networks, public IP addresses, gateways, and so on) to a subscription, it would affect all resource groups in that subscription.
Assigning an Azure Policy [Image Credit: Aidan Finn]
What good are policies if you cannot see how they are working? Compliance lets you view how successful your assigned policies and initiatives have been. It’s up to you to figure out how to deal with non-compliance instances, such as virtual machine sizes that are not allowed but were deployed before a policy was assigned (as below):
A Compliance Report in Azure Policy [Image Credit: Aidan Finn]
More from Aidan Finn
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Microsoft Azure
Microsoft Revises Restrictive Cloud Licensing Policies to Avoid EU Antitrust Probe
May 19, 2022 | Rabia Noureen
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Addresses Cross-Tenant Database Vulnerability in Azure PostgreSQL
Apr 29, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
System Center 2022 is Now Available with New Datacenter Management Capabilities
Apr 4, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group