In this post, I will show you how to enforce or audit governance to Azure subscriptions or resource groups using Azure Policy.
It is possible to deploy a single policy definition to a management group, subscription, or resource group. That is pretty quick and easy to do. However, like with most quick and easy things, it’s not the best way in the long run. Microsoft recommends that you deploy a policy initiative instead:
- Identify sets of policies that will be deployed together
- Create an initiative definition, selecting those policies.
- Assign the initiative definition.
The result is something like Active Directory Group Policy Objects (GPOs) for Azure; an initiative creates an organizational policy that can be deployed, effectively reusing components. General rules can be deployed at a top level (a management group) and more specific initiatives can be deployed at the subscription or resource group level.
Azure Policy uses inheritance. By default, everything beneath the assignment picks up the policy/initiative. For example, if I deploy an initiative at the root management group, all subscriptions within the management group hierarchy will inherit the policies, all resource groups within the subscriptions will inherit the policies, and all resources within the subscriptions will inherit the policies.
You can select exclusions in an assignment. For example, you can prevent the creation of Internet-connected network resources in a management group hierarchy but exclude a particular subscription from that policy. Combined with role-based access control, this can be a powerful way to limit features of Azure to certain teams.
Creating an Initiative
You can find Azure Policy in the Azure Portal. Click All Services. Search for and launch Policy. Once there, click Definitions. The screen is split in two:
- Initiatives Definitions: Lists any custom or built-in initiatives that can be assigned.
- Policy Definitions: Lists individual policies that can be assigned.
Click + Initiative Definition to create a new initiative. Enter the following information on the left, under Basics:
- Definition Location: Select a location in Azure to store the initiative definition. Microsoft normally recommends storing definitions at a higher level, above where you intend to assign it. This allows for reuse.
- Name: A display name for the new initiative definition.
- Category: An administrator-defined grouping of initiatives. You can create a new one or reuse an existing one.
On the right-hand side of the Initiative Definition blade, you will find a listing of all the available policy definitions. You can search/filter the listing. Click + to add your required policies to this initiative definition.
Most policies will require a parameter. This is a value of something that is allowed, denied, audited, and so on. You have an option for each of these parameters:
- Set Value: Specify a value that will be used for all assignments of this initiative definition.
- Use Initiative Parameter: Allow the Azure Policy administrator to enter a value(s) at the time of assignment.
In the below example, I have added two policies, each of which requires a single parameter. The first policy, deploying a Log Analytics (OMS) agent to virtual machines, is set with a value that will be applied to all machines (a Log Analytics workspace).
The second policy, which restricts virtual machine series/sizes, is being left undecided at this time. The administrator can decide this value with each assignment of the initiative policy, allowing different virtual machine sizes for different resource groups in this subscription.
Click Save when you are finished creating and configuring the initiative definition.
Assigning The Initiative Definition
The new initiative definition is listed in Azure Policy. Select the initiative definition and click Assign to deploy this set of policies to a target, such as a resource group. The Assign Initiative blade is pretty simple:
- Scope: Select a management group, subscription, or resource group to assign the policy to.
- Exclusions: Do you want to exclude something from this policy?
- Initiative Definition: The name of the initiative definition.
- Assignment Name: The name of the deployment.
- Description: An optional description of the deployment.
- Assigned By: The name of the person that is responsible for this set of policies.
- Parameters: Any parameters that were set to Use Initiative Parameter in the initiative definition.
Note that any parameters that were set (Set Value) in the initiative definition are hardcoded and are not listed here.
Click Assign once you are ready to deploy the collection of policies in the initiative definition. The set of policies can take up to 30 minutes to deploy, so don’t expect instant results in any auditing or restrictions.