Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Microsoft Azure

Azure Policy for Governance Enforcement

Microsoft recently made Azure Policy generally available. This post will explain the role of Azure Policy and how you can use it to audit for or enforce governance.



Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Azure Policy

If you have a need to enforce restrictions or to assess for company, industry, or regional compliance, then you can use Azure Policy to deploy policies. Typically this type of solution is used in combination with delegated administration for governance. For example:

  • Large company: A company with a large collection of subscriptions and an even larger set of resource groups has a dispersed set of administrators around the country, continent, or globe. Azure Policy allows the organization to unify policy across the catalog of subscriptions.
  • Developers: Developers are often given administrative rights via role-based access control (RBAC) and they often do things without human supervision. Azure Policy can bring some control back on behalf of the organization.


Control and auditing are obtained using policies, written using JSON, and are created from one of two kinds of definition:

  • Built-in: A set of policies that are supplied automatically by Microsoft
  • Custom: Policies that you can write and store in Azure

Policy definitions in Azure Policy [Image Credit: Aidan Finn]
Policy Definitions in Azure Policy [Image Credit: Aidan Finn]

There are some interesting examples in the selection of built-in policies:

  • Enforce tag and its value: Enforce a tag that might be used for cross-charging consumption of a single Azure subscription.
  • Require SQL Server version 12.0: Prevent deployments of older versions of SQL Server.
  • Not allowed resource types: Restrict access to certain kinds of Azure resources.
  • Allowed virtual machine SKUs: Limit the series and size of virtual machines that delegated administrators can deploy.

You can assign one of these policy definitions by itself but Microsoft recommends that you deploy initiatives instead. You can think of an initiative as being like an Active Directory group policy object (GPO). You can add one or more policy definitions to an initiative and assign the initiative to a required scope or target.

Note that policies can be created to audit or deny. A denial will create something new from being created (and alert you of deployments previous to assignment). An audit policy will just be used for non-compliance reporting.


There are three ways that you can assign a policy or, preferably, an initiative:

  • A resource group
  • A subscription
  • A management group

Management groups are a new preview feature for organizing many subscriptions from a single tenant into a hierarchy with up to 6 layers. This structure can then be used for RBAC and Azure Policy.

When you assign a policy or initiative, it is immediately inherited by all contained resources. For example, if I was to deploy a policy that prevents the creation of network resources (virtual networks, public IP addresses, gateways, and so on) to a subscription, it would affect all resource groups in that subscription.

Assigning an Azure Policy [Image Credit: Aidan Finn]
Assigning an Azure Policy [Image Credit: Aidan Finn]

It is possible to create exclusions for a policy. For example, I could create a resource group called networking and grant network administrators contributor rights to this resource group (and its contents by inheritance). All networking resources would be created in this resource group. The previous example which prevents the creating of networking resources would be assigned at the subscription level but an exception would be created for the networking resource group.


What good are policies if you cannot see how they are working? Compliance lets you view how successful your assigned policies and initiatives have been. It’s up to you to figure out how to deal with non-compliance instances, such as virtual machine sizes that are not allowed but were deployed before a policy was assigned (as below):

A compliance report in Azure Policy [Image Credit: Aidan Finn]
A Compliance Report in Azure Policy [Image Credit: Aidan Finn]

Armed with this information, you can access automatically generated reports to assess your environment, find rogue developers/operators, and offer them remedial guidance to become compliant with organizational or legal requirements.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By