Azure Policy: How to Create and Remediate Compliance

Adam Bertram

Adam Bertram

Read more posts by this author.

A common theme in cloud environments today is the ability to define templates, policies, and procedures. These templates then dictate what can be done and verify that what does exist is correct. A service from Microsoft called Azure Policy is a great way to make that happen.

In this article, you will learn how Azure Policy works and then see how to create various policies and remediate actions.

Creating an Azure Policy

There are many ways to create policies such as via the Azure Portal Portal, PowerShell, Azure CLI and ARM templates.

Azure Portal

If you prefer the GUI route or are exploring your options, starting here is a good introduction into policies. The interface is simple and allows you to see what your options are at a glance.

  1. Within the Azure Portal, search for Policy.
  2. Click on Assignments under the Authoring section
  3. Click on Assign policy
  4. Click on the ellipsis under Scope to select the subscription to apply to and optionally the resource group
  5. Click on the ellipsis under Policy definition to select the policy to define
  6. Either use the default generated name under Assignment name or enter one to uniquely identify your policy
  7. Fill out any parameters as necessary based on the policy chosen
  8. Finally create a managed identity and define its location if necessary
Creating a Policy
Creating a Policy

PowerShell

Thankfully PowerShell makes it quick and easy to assign an Azure policy definition to a policy assignment. There are two prerequisites, which is needing the latest version of Azure PowerShell installed and registering the Azure Policy Insights resource provider.

PS51> Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
Assign the Policy
PS51> $resourceGroup = Get-AzResourceGroup -Name '<resourceGroupName>'

PS51> $definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq '<policyName>' }

PS51> New-AzPolicyAssignment -Name '<assignment-name>' -DisplayName '<friendlyName>' -Scope $resourceGroup.ResourceId -PolicyDefinition $definition -listOfResourceTypesAllowed '<parameterValues>'

Azure CLI

If PowerShell isn’t available or not preferred, then using the Azure CLI also allows you to accomplish much of the same. This can also be helpful in cross-platform scenarios if you are unable to use PowerShell on all operating systems.

> az policy assignment create --name '<policyName>' --display-name '<friendlyName>' --scope '<scope>' --policy '<policyDefinitionID>'

Azure Policy Templates

Azure Resource Manager templates are yet another way to create and assign policies to resources. Below is a starter template that you can use to choose a policy to assign to a resource group as an example.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyAssignmentName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the policy assignment."
      }
    },
    "rgName":{
      "type": "string",
      "defaultValue": "[resourceGroup().name]",
      "metadata": {
        "description": "Specifies the name of the resource group where you want to assign the policy."
      }
    },
    "policyDefinitionID": {
      "type": "string",
      "metadata": {
        "description": "Specifies the ID of the policy definition or policy set definition being assigned."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[parameters('policyAssignmentName')]",
      "apiVersion": "2018-05-01",
      "properties": {
        "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'))]",
        "policyDefinitionId": "[parameters('policyDefinitionID')]"
      }
    }
  ]
}

How Azure Policy Assignment Works

After choosing or creating the policy definitions that you want to apply, assign those definitions to affect a specific scope. The scope merely defines what the policy assignment is going to apply to, such as a management or resource group. Something to note is that policy assignment are inherited by all child resources, but you do have the ability to exclude a sub-scope if required.

Example Azure Policies

There are a lot of policy definitions out there and it can be hard to decide what is best to apply. So what are some of the options, when might you use them and why?

  • Require Tag and its Value – This can be used for any number of ways, but one possibility is for say cost codes, or for identifying a number of different resources spread across multiple resource groups.
  • Allowed Resource Types – What if you only want to allow specific resources? This can enforce that, with say just the ability to create a storage resource.
  • Audit Windows VMs with a Pending Reboot – Perhaps you want to know what Windows VMs require a pending reboot, to make sure those don’t get left behind? Use this policy to find and possibly remediate those on a schedule.
  • Audit Diagnostic Setting – If diagnostic settings are not enabled then this policy will find those that are non-compliant.
  • Management Ports Should be Closed on your Virtual Machines – Verify that the management ports on your VMs are closed, a great policy for the security-minded.
  • Deprecated Accounts Should be Removed from your Subscription – For all accounts that have been blocked from sign-in within a directory, find those to potentially remediate as necessary. Although there are many here, and even more being created every day, you also have a very powerful ability to create your own custom policy definitions. Using a simple query definition schema you can create powerful if-then constructions to define what you want to apply policies to.

How to Make Azure Policies more Reusable

Parameters

One of the most useful tools are defining parameters for use in your policies. If you had to define a unique policy for each and every variation in a policy, you may end up with hundreds. A great solution to this is to parameterize a policy. With this you can customize the policy at the time of assignment and make one policy definition apply to many different use cases.

Initiatives

The next logical step is to collect multiple definitions together in a set. This allows you to assign all those different definitions to a scope without having to individually assign each one over and over.

Initiative Parameters

Finally, you can add parameters to initiatives that can be inherited down to the individual policies. This means that you don’t have to individually assign parameters for each policy contained within an initiative. This can save a ton of time as you can define only a few initiatives that apply many different policies in several different ways depending on the parameters chosen.

Remediation Tasks

So what do you do when you have a policy that evaluates but finds resources out of compliance? At that point, you can launch a remediation task to fix whatever the issue might be. This can be quite powerful but also quite dangerous if setup incorrectly. Once again there are several ways to define these tasks either through the Azure Portal, PowerShell or through the Azure CLI.

Azure Portal

As before you can use the Azure Portal to explore the creation of a remediation task. If you find that there are no policies listed, make sure you have both deployIfNotExists policies and also those that have evaluated to non-compliant otherwise they will not show.

  1. Within the Azure Portal, search for Policy
  2. Click on Remediation on the left-hand side
  3. Click on a policy that is of the type of deployIfNotExists and has non-compliant resources
  4. Filter the resources to be re-mediated on the New remediation task page to limit what the task applies to
  5. Click on Remediate to start the task itself

PowerShell

It is quite simple to create a remediation task via PowerShell. The main thing to remember is that you must be using a deployIfNotExists policy.

PS51> Start-AzPolicyRemediation -Name 'remediationTask' -PolicyAssignmentId '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentID}'

Azure CLI

In lieu of using PowerShell you can also use the Azure CLI to start a remediation task as well. The same goes for this as the PowerShell task.

> az policy remediation create --name remediationTask --policy-assignment '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentID}'

Summary

The power in using Azure Policies is that for any Azure subscription you can define any number of flexible policies to help you manage your environment. Furthermore, with time, effort and thought put into how you structure your policies, initiatives and parameters you can create a well-defined and easy to remediate setup.

Considering that Azure Policies are free for any Azure Subscription, it makes a lot of sense to take the time to implement what you need. Considering the flexibility in how to create and deploy these definitions and policies, it can apply to nearly anything and help you keep a handle on your environment!

Subscribe to Adam the Automator

Get the latest posts delivered right to your inbox

Looks like you're offline!