A common theme in cloud environments today is the ability to define templates, policies and procedures that help to dictate what can be done and verify that what does exist is correct. To that end, Azure provides policies that focus on resource properties during deployment and for already existing resources.

This is different than role based access control (RBAC) systems. RBAC focuses on user actions and keeping them in their appropriate scopes. An important difference is that Azure Policy is a default allow and explicit deny system. This means that most policies you define explicitly tell the environment what it should be doing once the policies apply.

How it's Different and How it Works in Conjunction with RBAC

As described before, RBAC is focused on user actions. Azure Policy is focused on the resources themselves. That being said, you most likely want to delegate the right roles to the right people. The two resource providers are:

If you dive into these two providers, you will find that there are many ways to give as granular a permission set as you would like. That being said, the Resource Policy Contributor (Preview) role contains most Azure policy operation rights and may be a great starting point.

How Does Policy Assignment Work

After choosing or creating the policy definitions that you want to apply, assign those definitions to affect a specific scope. The scope merely defines what the policy assignment is going to apply to, such as a management or resource group. Something to note is that policy assignments are inherited by all child resources, but you do have the ability to exclude a sub-scope if required.

Example Policies

There are a lot of policy definitions out there and it can be hard to decide what is best to apply. So what are some of the options, when might you use them and why?

Require Tag and its Value

This can be used for any number of ways, but one possibility is for say cost codes, or for identifying a number of different resources spread across multiple resource groups.

Allowed Resource Types

What if you only want to allow specific resources? This can enforce that, with say just the ability to create a storage resource.

Audit Windows VMs with a Pending Reboot

Perhaps you want to know what Windows VMs require a pending reboot, to make sure those don't get left behind? Use this policy to find and possibly remediate those on a schedule.

Audit Diagnostic Setting

If diagnostic settings are not enabled then this policy will find those that are non-compliant.

Management Ports Should be Closed on your Virtual Machines

Verify that the management ports on your VMs are closed, a great policy for the security minded.

Deprecated Accounts Should be Removed from your Subscription

For all accounts that have been blocked from sign-in within a directory, find those to potentially remediate as necessary.

Although there are many here, and even more being created every day, you also have the very powerful ability to create your own custom policy definitions. Using a simple query definition schema you can create powerful if-then constructions to define what you want to apply policies to.

Creating a Policy

There are many ways to create policies and they can suit your preferred method of management. These include using the GUI Portal, PowerShell, Azure CLI and Templates. Below we go over what each of those mean and how you can utilize them.

Azure Portal

If you prefer the GUI route or are exploring your options, starting here is a good introduction into policies. The interface is simple and allows you to see what your options are at a glance.

  1. Within the Azure Portal, search for Policy
  2. Click on Assignments under the Authoring section
  3. Click on Assign policy
  4. Click on the ellipsis under Scope to select the subscription to apply to and optionally the resource group
  5. Click on the ellipsis under Policy definition to select the policy to define
  6. Either use the default generated name under Assignment name or enter one to uniquely identify your policy
  7. Fill out any parameters as necessary based on the policy chosen
  8. Finally create a managed identity and define its location if necessary
Creating an Azure Policy

PowerShell

Thankfully PowerShell makes it quick and easy to assign a policy definition to a policy assignment. There are two prerequisites, which is needing the latest version of Azure PowerShell installed and registering the Azure Policy Insights resource provider.

PS51> Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
Register Azure Policy Insights Resource Provider
PS51> $resourceGroup = Get-AzResourceGroup -Name '<resourceGroupName>'

PS51> $definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq '<policyName>' }

PS51> New-AzPolicyAssignment -Name '<assignment-name>' -DisplayName '<friendlyName>' -Scope $resourceGroup.ResourceId -PolicyDefinition $definition -listOfResourceTypesAllowed '<parameterValues>'
Assign the Policy

Azure CLI

If PowerShell isn't available or not preferred, then using the Azure CLI also allows you to accomplish much of the same. This can also be helpful in cross-platform scenarios if you are unable to use PowerShell on all operating systems.

> az policy assignment create --name '<policyName>' --display-name '<friendlyName>' --scope '<scope>' --policy '<policyDefinitionID>'

Templates

Azure Resource Manager templates are yet another way to create and assign policies to resources. Below is a starter template that you can use to choose a policy to assign to a resource group as an example.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyAssignmentName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the policy assignment."
      }
    },
    "rgName":{
      "type": "string",
      "defaultValue": "[resourceGroup().name]",
      "metadata": {
        "description": "Specifies the name of the resource group where you want to assign the policy."
      }
    },
    "policyDefinitionID": {
      "type": "string",
      "metadata": {
        "description": "Specifies the ID of the policy definition or policy set definition being assigned."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[parameters('policyAssignmentName')]",
      "apiVersion": "2018-05-01",
      "properties": {
        "scope": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'))]",
        "policyDefinitionId": "[parameters('policyDefinitionID')]"
      }
    }
  ]
}

How to Make Policies more Reusable

Parameters

One of the most useful tools are defining parameters for use in your policies. If you had to define a unique policy for each and every variation in a policy, you may end up with hundreds. A great solution to this is to parameterize a policy. With this you can customize the policy at the time of assignment and make one policy definition apply to many different use cases.

Initiatives

The next logical step is to collect multiple definitions together in a set. This allows you to assign all those different definitions to a scope without having to individually assign each one over and over.

Initiative Parameters

Finally, you can add parameters to initiatives that can be inherited down to the individual policies. This means that you don't have to individually assign parameters for each policy contained within an initiative. This can save a ton of time as you can define only a few initiatives that apply many different policies in several different ways depending on the parameters chosen.

Remediation Tasks

So what do you do when you have a policy that evaluates but finds resources out of compliance? At that point, you can launch a remediation task to fix whatever the issue might be. This can be quite powerful but also quite dangerous if setup incorrectly. Once again there are several ways to define these tasks either through the Azure Portal, PowerShell or through the Azure CLI.

Azure Portal

As before you can use the Azure Portal to explore the creation of a remediation task. If you find that there are no policies listed, make sure you have both deployIfNotExists policies and also those that have evaluated to non-compliant otherwise they will not show.

  1. Within the Azure Portal, search for Policy
  2. Click on Remediation on the left-hand side
  3. Click on a policy that is of the type of deployIfNotExists and has non-compliant resources
  4. Filter the resources to be re-mediated on the New remediation task page to limit what the task applies to
  5. Click on Remediate to start the task itself

PowerShell

It is quite simple to create a remediation task via PowerShell. The main thing to remember is that you must be using a deployIfNotExists policy.

PS51> Start-AzPolicyRemediation -Name 'remediationTask' -PolicyAssignmentId '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentID}'

Azure CLI

In lieu of using PowerShell you can also use the Azure CLI to start a remediation task as well. The same goes for this as the PowerShell task.

> az policy remediation create --name remediationTask --policy-assignment '/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentID}'

Summary

The power in using Azure Policies is that for any Azure subscription you can define any number of flexible policies to help you manage your environment. Furthermore, with time, effort and thought put into how you structure your policies, initiatives and parameters you can create a well-defined �and easy to remediate setup.

Considering that Azure Policies are free for any Azure Subscription, it makes a lot of sense to take the time to implement what you need. Considering the flexibility in how to create and deploy these definitions and policies, it can apply to nearly anything and help you keep a handle on your environment!

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!