Microsoft Azure

Preview of Resource Policy in the Azure Portal

Microsoft has launched a preview of managing Azure Resource Policy using a graphical interface. This post will explain what this preview offers.



Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Azure Resource Policy

Resource Policy is a very nice feature in Azure Resource Manager (ARM) that allows you to control what delegated administrators can do in an Azure subscription or resource group. For example, you can limit what series and sizes of virtual machines can be deployed. I use the JSON policy to control what can be deployed in a set of subscriptions that my employer uses for training purposes. Previously, one attendee went nuts with virtual machines, running SQL Server, and ran up a nice bill in a few days.

Azure Resource Policy is written in a form of JSON, which you can see in the previously mentioned example. As much as I evangelize the benefits of JSON, I suspect that the adoption rate will mimic that of PowerShell. This is very high in blog readers and conference attendees but quite low in the much larger world of IT pros.

A Graphical Interface

A preview of Azure Resource Policy administration in the Azure Portal was launched on May 9th. This preview is running in the preview release of the Azure Portal, which was once called the Preview Portal. It provides an easy way to create and assign some simple resource policies. However, you can still edit JSON policies using a tool such as VS Code. Simply upload the policy using PowerShell and then use the portal administration experience to assign the policies to the subscription or resource groups.

You must use the preview portal, which is available on Browse to Subscriptions and then to Policies. This is where all of your policy administration will appear in the portal. You can also see all the policies that were created and uploaded using PowerShell.

Creating a Policy

Click +Add Assignment to start making a policy. The blade Add Assignment will appear. Enter the following information:

  • Policy Definition: Choose a type of policy from a set of Microsoft-provided templates. More on this later.
  • Allowed/Not Allowed X: If you select Allowed/Not Allowed for your policy, then you will select the items/locations that need to be permitted or restricted.
  • Assignment Name: Give the policy a user-friendly name.
  • Assignment ID: Give a unique identifier to the policy.
  • Description: Document what the policy does.
  • Scope: Select the Azure subscription or resource group that the policy will be assigned to.

In the below example, I have restricted resource creation to East US and West US.

Let’s get back to those policy definitions. There is a range available to select in the preview. Note that your manually created policies, uploaded using Azure, are available to select from, too:

  • Allowed Locations: This restricts the regions that can be deployed into.
  • Allowed Resource Types: This permits only a subset of Azure resource types.
  • Allowed Storage Account SKUs: This controls the use of Standard/Premium storage and the replication types.
  • Allowed Virtual Machine SKUs: You can permit pre-selected series/sizes of virtual machines.
  • Not Allowed Resource Types: This prevents certain resource types from being deployed.
  • Require SQL Server Version 12.0: This requires that SQL Server must be version 12.0 (SQL Server 2014).
  • Require Storage Account Subscription: This requires storage encryption for storage accounts to be turned on.
Creating an Azure resource policy & assignment [Image Credit: Aidan Finn]
Creating an Azure Resource Policy and Assignment [Image Credit: Aidan Finn]

Stacking Assignments

It is possible to stack assignments. In the below example, one policy only allows A1_v1 virtual machines to be deployed. A second policy only allows East US and West US to be used. The combination of these policies means that the only virtual machines that can be deployed are the A1_v1 series and size. They also must be deployed in either East US or West US.

Stacking resource policies in the Azure Portal [Image Credit: Aidan Finn]
Stacking Resource Policies in the Azure Portal [Image Credit: Aidan Finn]


A policy that is assigned to a subscription is inherited by all resource groups. If I assign a policy to a subscription that only allows deployments in East US and West US, then this policy is assigned to all resource groups.

If a resource group within that resource group only allows A1_v1 virtual machines, then those virtual machines can only be deployed in East US and West US.

Managing Existing Policies

We can do the following in the portal:

  • Edit Assignment: We can change the Allowed/Not Allowed option, the friendly name, and the description of the policy. We cannot change the definition (template/type), assignment ID, or the assigned scope.
  • View the Assignment Rule: This option shows you the JSON that was used to deploy the policy. You can use this as a template that can be used in VS Code.


The administrative experience for resource policies is a bit light on features, but this is a cloud service preview. As always, the service will likely go live with the core functionality. Based on customer feedback and product plans, the service will evolve rapidly. Don’t judge the GUI for resource policy based on how it is now because it will probably be different in a few months.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: