Azure – Cloud Governance – Assign or Use an Azure Policy

Hello Friends,

I am continuing with Cloud Governance. If you have missed our last articles on Azure Governance, please check it in following links.

Cloud Governance – Management Group

Cloud Governance – Azure Blueprints

How To Create And Assign Azure Blueprint

Azure – Cloud Governance – Parameter Need To Be Specified When Blueprint is Assigned

Today in this article we will discuss, how to assign an in-build Azure policy. Azure Policy is a service in Azure that we use to create, assign, and manage policies. These policies enforce different rules and effects over our resources, so those resources stay compliant with our corporate standards and service level agreements. Companies governance policy required to adopt a set of compliance. so the compliance team can ask us for a new compliance. Azure Policy helps us to manage and prevent issues with policy definitions that enforce rules and effects for our resources.

I am not discussing much on what is Azure Policy but will focus more on how to assign or use an Azure policy to enforce compliance. Following steps needs to be follow to for the same. There are different ways to assign an Azure policy like, Azure Portal, Power Shell and CLI. Lets first create the policy through Azure Portal.

Assign Azure Policy in Azure Portal :

1. Connect to your Azure portal dashboard using your subscription account. If you don’t have any subscription, in that case you can get trial Azure subscription with one-month of validity. Then you can connect to the azure portal dashboard as in following figure.

2. Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

3. Select Assignments on the left side of the Azure Policy page. In the following figure, we can see that , we have already two policies assigned to one of my subscription (Visual Studio Enterprise – MPN/BluePrint_RG2). As we know that we can assign a policy to management groups or to a Subscription.Also we can select a Resource Group of selected subscriptions as in the following figure it is BluePrint_RG2 .

4. Select Assign Policy from the top of the Policy – Assignments page shown in the above figure.

5. On the Assign Policy page, select the Scope by clicking the ellipsis and selecting either a management group or subscription. Once we select the scope, It allow to select resource groups from selected subscriptions . But it is optional to choose resource group.  Exclusions are optional, we can leave it now. Then click Select at the bottom of the Scope page as shown in the following figure.

6. After selecting the scope , we need to select the required Policy Definition. In this article, I would like to chose “Not Allowed Resource Type” policy definition.

7. Select the Policy definition ellipsis to open the list of available definitions. Azure Policy comes with built-in policy definitions. Let’s choose
“Not Allowed Resource Type” for our demo. Then provide Assignment Name and Description values as shown in the following figure.

As per the selected policy, it will denies to deploy restricted resource to the selected Scope. Now let’s select resources for Not allowed resource types field, so that we can restrict those resources. As we can see in the above figure, we have select one resource “VirtualMachine” for our article.

8. Leave Create a Managed Identity unchecked. As per Microsoft this box must be checked when the policy or initiative includes a policy with the deployIfNotExists effect and
Click Assign button and our policy will be assigned as shown in the following figure.

Now we have assigned our policy to one of my subscription. To test whether it is working or not let’s try to create one test Virtual Machine in that subscription.

When I try to create the VM, it allows me to deploy the VM. That means the policy is not working as per the requirement 🙁 .

Then I found that, when we are selecting the resources, we need to select the resource from each section. For example, if we want to restrict all type of Virtual Machines to be deploy, then select virtualmachine option from all sections as shown in the following figure I have selected 6 virtual machines from different sections and Assigned the policy again.

Now lets try to deploy a VM to test the policy.In the following figure I am creating a new VM .Let’s see the result 🙂

Here you go :), As we can see in the following figures, our policy does not allowed to deploy Virtual Machines.

AS we can see in the above figure one policy is Non-Compliant. When a condition is evaluated against our existing resources and found true, then those resources are marked as non-compliant with the policy. 

I hope this article helps you some way. Soon we will discuss how to assign a policy using power shell and CLI.

Thanks for reading 🙂

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.

Stay tuned on Knowledge-Junction, will come up with more such articles.