Azure Policy is designed to allow expression and enforcement and remediation of compliance with organisational policies at scale.
- Avoiding deployment of specific SKUs.
- Preventing deployment of resources outside of a specific region.
- Adding missing tags.
- Policies scoped at management group, subscription and resource group. They're expressed as JSON (Private).
- Rules are comprised of parameters, a condition and an effect.
- Effects define the action to be taken:
appendwould add missing values for you (e.g. tags).
auditlogs a warning about the policy violation.
auditIfNotExistsdeploys the resource and logs a warning about the policy violation if.
denyprevents the ARM operation from taking place.
deployIfNotExistsremediates the problem.
- Definitions are often available as ready-made templates.
- Initiatives allow assigning policies to multiple scopes in bulk, avoiding unnecessary copying.
- Mode sets the targeted resources:
alltargets all resources.
indexedtargets only resources that support locations and tags.
Enforcement of policies is real-time and based on violations.
Where multiple policies exist that apply to a given scope, they'll be combined and the most restrictive rule will apply. It's generally good practice to place more restrictive rules further down in the hierarchy (closer to or on the resource group) to avoid unintended effects.
To test new rules, use the passive audit effect prior to deny!
Compliance can be viewed overall and per-initiative. Percentages and event counts over the last week are visible, helping to contextualise any violations. Compliance data is generally updated within 15 minutes of a change being made.
Security Centre can visualise regulatory compliance with standards such as PCI DSS.
Policies can be deployed as part of Blueprints, allowing for standardisation and centralised management of security critical resources and preventing changes by other users.
Policy as code
Policies can be managed and deployed as code, reducing the risk of inconsistencies between environments, particularly in decentralised environments.