You can create your own policies if built-in azure policy is not sufficient to your needs
Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Tutorial: Create and manage policies to enforce compliance
In this articleUnderstanding how to create and manage policies in Azure is important for staying compliant with your corporate standards and service-level agreements. In this tutorial, you learn to use Azure Policy to do some of the more common tasks related to creating, assigning, and managing policies across your organization, such as:
If you would like to assign a policy to identify the current compliance state of your existing resources, the quickstart articles go over how to do so. PrerequisitesIf you don't have an Azure subscription, create a free account before you begin. Assign a policyThe first step in enforcing compliance with Azure Policy is to assign a policy definition. A policy definition defines under what condition a policy is enforced and what effect to take. In this example, assign the built-in policy definition called Inherit a tag from the resource group if missing to add the specified tag with its value from the parent resource group to new or updated resources missing the tag.
Implement a new custom policyNow that you've assigned a built-in policy definition, you can do more with Azure Policy. Next, create a new custom policy to save costs by validating that virtual machines created in your environment can't be in the G series. This way, every time a user in your organization tries to create a virtual machine in the G series, the request is denied.
Create a policy definition with REST APIYou can create a policy with the REST API for Azure Policy Definitions. The REST API enables you to create and delete policy definitions, and get information about existing definitions. To create a policy definition, use the following example:
Include a request body similar to the following example:
Create a policy definition with PowerShellBefore proceeding with the PowerShell example, make sure you've installed the latest version of the Azure PowerShell Az module. You can create a policy
definition using the To create a policy definition from a file, pass the path to the file. For an external file, use the following example:
For a local file use, use the following example:
To create a policy definition with an inline rule, use the following example:
The output is stored in a
View policy definitions with PowerShellTo see all policy definitions in your subscription, use the following command:
It returns all available policy definitions, including built-in policies. Each policy is returned in the following format:
Create a policy definition with Azure CLIYou can create a policy definition using Azure CLI with the
View policy definitions with Azure CLITo see all policy definitions in your subscription, use the following command:
It returns all available policy definitions, including built-in policies. Each policy is returned in the following format:
Create and assign an initiative definitionWith an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies. For more information about initiative definitions, see Azure Policy overview. Create an initiative definition
Create a policy initiative definition with Azure CLIYou can create a policy initiative definition using Azure CLI with the
Create a policy initiative definition with Azure PowerShellYou can create a policy initiative definition using Azure PowerShell with the
Assign an initiative definition
Check initial compliance
Remove a non-compliant or denied resource from the scope with an exclusionAfter assigning a policy initiative to require a specific location, any resource created in a different location is denied. In this section, you walk through resolving a denied request to create a resource by creating an exclusion on a single resource group. The exclusion prevents enforcement of the policy (or initiative) on that resource group. In the following example, any location is allowed in the excluded resource group. An exclusion can apply to a subscription, a resource group, or an individual resource. Deployments prevented by an assigned policy or initiative can be viewed on the resource group targeted by the deployment: Select Deployments in the left side of the page, then select the Deployment Name of the failed deployment. The resource that was denied is listed with a status of Forbidden. To determine the policy or initiative and assignment that denied the resource, select Failed. Click here for details -> on the Deployment Overview page. A window opens on the right side of the page with the error information. Under Error Details are the GUIDs of the related policy objects. On the Azure Policy page: Select Compliance in the left side of the page and select the Get Secure policy initiative. On this page, there's an increase in the Deny count for blocked resources. Under the Events tab are details about who tried to create or deploy the resource that was denied by the policy definition. In this example, Trent Baker, one of Contoso's Sr. Virtualization specialists, was doing required work. We need to grant Trent a space for an exception. Create a new resource group, LocationsExcluded, and next grant it an exception to this policy assignment. Update assignment with exclusion
In this section, you resolved the denied request by creating an exclusion on a single resource group. Clean up resourcesIf you're done working with resources from this tutorial, use the following steps to delete any of the policy assignments or definitions created above:
ReviewIn this tutorial, you successfully accomplished the following tasks:
Next stepsTo learn more about the structures of policy definitions, look at this article: FeedbackSubmit and view feedback for How do I create my own Azure policy?The approach to creating a custom policy follows these steps:. Identify your business requirements.. Map each requirement to an Azure resource property.. Map the property to an alias.. Determine which effect to use.. Compose the policy definition.. Can Azure create custom policy?Click on +Policy definition. You can choose “definition location” either your subscription/management group and definition name, description, policy rule, and then click on “Save”. After saving, go to the “definitions” section again and filter the policies by selecting “custom” from the Type dropdown.
Which Azure policy action allows us to deploy Microsoft Antimalware on virtual machines where it isn't currently installed?Deployment Using PowerShell cmdlets
An Azure application or service can enable and configure Microsoft Antimalware for Azure Virtual Machines using PowerShell cmdlets.
Which Azure service can be enabled to enable multi factor authentication for administrators but not require it for regular users?Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach to protect users. Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios.
|