In this post, I will show you how to enforce or audit governance to Azure subscriptions or resource groups using Azure Policy.
It is possible to deploy a single policy definition to a management group, subscription, or resource group. That is pretty quick and easy to do. However, like with most quick and easy things, it’s not the best way in the long run. Microsoft recommends that you deploy a policy initiative instead:
The result is something like Active Directory Group Policy Objects (GPOs) for Azure; an initiative creates an organizational policy that can be deployed, effectively reusing components. General rules can be deployed at a top level (a management group) and more specific initiatives can be deployed at the subscription or resource group level.
Azure Policy uses inheritance. By default, everything beneath the assignment picks up the policy/initiative. For example, if I deploy an initiative at the root management group, all subscriptions within the management group hierarchy will inherit the policies, all resource groups within the subscriptions will inherit the policies, and all resources within the subscriptions will inherit the policies.
You can select exclusions in an assignment. For example, you can prevent the creation of Internet-connected network resources in a management group hierarchy but exclude a particular subscription from that policy. Combined with role-based access control, this can be a powerful way to limit features of Azure to certain teams.
You can find Azure Policy in the Azure Portal. Click All Services. Search for and launch Policy. Once there, click Definitions. The screen is split in two:
Click + Initiative Definition to create a new initiative. Enter the following information on the left, under Basics:
On the right-hand side of the Initiative Definition blade, you will find a listing of all the available policy definitions. You can search/filter the listing. Click + to add your required policies to this initiative definition.
Most policies will require a parameter. This is a value of something that is allowed, denied, audited, and so on. You have an option for each of these parameters:
In the below example, I have added two policies, each of which requires a single parameter. The first policy, deploying a Log Analytics (OMS) agent to virtual machines, is set with a value that will be applied to all machines (a Log Analytics workspace).
The second policy, which restricts virtual machine series/sizes, is being left undecided at this time. The administrator can decide this value with each assignment of the initiative policy, allowing different virtual machine sizes for different resource groups in this subscription.
Click Save when you are finished creating and configuring the initiative definition.
The new initiative definition is listed in Azure Policy. Select the initiative definition and click Assign to deploy this set of policies to a target, such as a resource group. The Assign Initiative blade is pretty simple:
Note that any parameters that were set (Set Value) in the initiative definition are hardcoded and are not listed here.
Click Assign once you are ready to deploy the collection of policies in the initiative definition. The set of policies can take up to 30 minutes to deploy, so don’t expect instant results in any auditing or restrictions.