How to deploy Microsoft Azure Policy

Azure Policy Overview

Azure Policy is a service that enables the IT, and or the Governance teams to manage and ensure that all the cloud resources comply with the corporate standards and organizational policies by creating and assigning the policies to control and audit the cloud resources.
Azure compliance dashboard provides all the cloud environment overview in a central location to dig deep further in to the deployed resources which makes it easy to manage, control, audit, fix issues or remediate the compliance statistics of non compliance resources or configurations if any.

Azure policies apply different rules to cloud resources configurations to achieve the below.
  • To control and audit the resources to ensure SLAs
  • To control the cost by auditing and reviewing each resource’s usage level which also further enables to make future decisions to remove or add additional resources or increase or decrease an existing resource’s capacity for smooth customer service.
  • Ensure that all the resources are compliant and secure and not exposed to cyber-attacks as per company policies.
  • Fix issues or misconfigurations if any in a limited time.
  • Automate different processes by removing manual approvals for resource deployment or change.

Azure Policy assignment scope levels

Azure policies are assigned in a downward hierarchy on the below scope levels. For example, company-wide policies can be applied at the top root management group or subscription level and then the other policies apply to the resource group or each individual resource level based on the resource’s workload and usage level.
But all this solely depends on the hierarchical structure of each organization for management groups and subscriptions. For example, following the organizational structure of each department companies creates separate management groups and subscriptions for each department, and for scenarios like this policies are applied to each department’s management scope and or subscription.
 
  • Management Groups
  • Subscriptions
  • Resource Groups
  • Resources
  • Exclusions

Azure Policy Effects

  • Append                     (Adding additional items or values to the existing or new resources)
  • Audit                         (Writing to the logs if non-compliance is detected)
  • AuditifNotExists       (Writing to the logs only if a resource doesn’t exists)
  • DeployifNotExists    (A resource will be deployed if not exists)
  • Deny                          (To restrict or prevent resource creation or changes)

Azure Policy Objects

Azure Policy Definition

It is a single policy definition or single azure policy applies on a resource or different scope levels as mentioned above.
Example: Policy to restrict or prevent resource creation in specific locations or regions

Initiative Definition

It is a group of more than one azure policies applies together on different scope levels or on azure resources.
Example: [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs

Note: At the time of writing this blog there are 48 Initiative definitions and 980 policy definitions are available in Microsoft azure

 

Azure Policy deployment

Single Azure policy definition assignment

Step 01: Log in to Azure Portal https://portal.azure.com/#home and search for Policies in the search bar

 

Step 02: Click on “Compliance” and click on “Assign policy

Step 03: Click on the policy definition picker shown under Basics “Policy definition”

Step 04:  Select the required policy definition from the available list of 980 policy definitions.

Step 05: Please mention an assignment name, description, and enforcement type as per the requirement and click next to configure the policy parameters

Step 06: Configure or define Policy parameters which normally available to configure based on policy definition type if there are no policy parameter values available to configure then move to the next step otherwise parameters will be configured first as shown in the below sample screenshot on right side.

     

Step 07: Please configure the remediation settings for the policy here.

Option 1: if it will be remediated automatically by using a system-assigned identity or users-assigned identity then select the option Create a managed identity then select either System assigned managed identity or User assigned managed identity so the policy will use anyone of these identities to automatically remediate the required resources to ensure compliance status of these resources as per the requirements.

 

A. If System assigned managed identity option is selected then System assigned identity location need to be selected.
B. If User assigned managed identity option is selected then “Scope Level” need to be selected like Management group > Subscription > Resource        Group and select Existing User assigned identity
Option 2: If automatic Remediation is not required then need to uncheck the Create managed identity option to leave it blank

Step 08: Enter non-compliance message as per your requirement as shown in the below screenshot.

Step 09: Review the policy definition settings and click Create and assign the policy definition

Policy definition view post assignment.

 

%d bloggers like this: