Manage Azure subscriptions and governance
đMicrosoft Certified: Azure Administrator Associate (AZ-104)
Azure Policy is a governance tool in Azure. It helps you control what can be created or changed in your Azure environment. Think of it as a ârule engineâ that ensures all resources in your cloud follow your organizationâs rules.
1. What is Azure Policy?
Azure Policy is a service that enforces rules for your Azure resources. It ensures compliance with your organizationâs standards.
- Without Azure Policy, users can create anything anywhere, which can lead to security issues, cost overruns, or inconsistent configurations.
- With Azure Policy, you define rules, and Azure checks resources against them automatically.
Key points:
- It is different from role-based access control (RBAC). RBAC controls who can do what, while Azure Policy controls what can be done.
- Policies can deny, audit, or enforce resource configurations.
2. Key Components of Azure Policy
- Policy Definition
- This is the actual rule. It defines what is allowed or disallowed.
- Examples of rules:
- Only allow virtual machines of certain sizes.
- Enforce tags on all resources for tracking.
- Block creation of public IP addresses in certain subscriptions.
- Initiative (Policy Set)
- A collection of policy definitions grouped together.
- Helps manage multiple policies at once.
- Example: An initiative to enforce security standards might include:
- Require encryption on storage accounts.
- Block unapproved VM sizes.
- Require specific tags.
- Assignment
- This is where you apply a policy or initiative to a scope.
- Scopes can be:
- Management group
- Subscription
- Resource group
- Individual resource
- Compliance
- Azure Policy provides a compliance report showing which resources follow the rules and which donât.
- Example: If a policy requires all VMs to have monitoring enabled, the compliance report shows which VMs are non-compliant.
3. How Azure Policy Works
Azure Policy uses a JSON format to define rules. Each policy has two main parts:
- Conditions (if/when) â Defines when the policy should be applied.
- Example: âIf a resource is a virtual machineâŚâ
- Effect (then) â Defines what happens if the condition is met or violated.
Common effects include:- Deny â Blocks the action entirely.
- Audit â Records non-compliance but allows the action.
- AuditIfNotExists â Checks for required resources; logs if missing.
- Append â Adds settings automatically to resources (e.g., add tags).
- DeployIfNotExists â Automatically deploys resources or configurations if missing.
4. Common Scenarios in IT
Azure Policy is widely used to enforce standards and secure IT environments:
- Enforcing resource naming conventions
- Example: All VMs must start with âPROD-â or âDEV-â.
- Prevents confusion in large environments.
- Restricting VM sizes
- Example: Only allow VM sizes that are approved for cost efficiency.
- Helps control expenses and avoids oversized resources.
- Require encryption
- Example: All storage accounts must have encryption enabled.
- Ensures data security compliance.
- Tagging resources for cost management
- Example: All resources must have a âCostCenterâ tag.
- Helps track expenses across departments.
- Blocking public IP creation
- Example: Prevent users from creating VMs with public IPs in certain subscriptions.
- Increases security by reducing exposure to the internet.
5. How to Implement Azure Policy
- Create a Policy Definition
- Go to Azure Portal â Policy â Definitions â + Policy Definition
- Choose Built-in policy or create Custom policy.
- Define the rule (conditions and effect).
- Create an Initiative (Optional)
- Group multiple policies for easier management.
- Example: A âSecurity Initiativeâ could include policies for encryption, monitoring, and restricted IPs.
- Assign the Policy or Initiative
- Assign it to a scope (subscription, resource group, or management group).
- Optionally, set parameters (e.g., allowed VM sizes or required tags).
- Monitor Compliance
- Go to Policy â Compliance
- Check which resources are compliant and which are non-compliant.
- Take corrective actions if needed.
6. Built-in vs Custom Policies
- Built-in Policies
- Azure provides many ready-to-use policies for common scenarios (security, cost, operations, compliance).
- Example: âRequire a tag on resourcesâ or âAllowed VM sizes.â
- Custom Policies
- Create your own JSON-based rules if built-in policies donât meet your needs.
- Example: Enforce naming convention:
resourceName must start with âAPP-â.
7. Exam Tips for AZ-104
- Know the difference between:
- RBAC: Controls who can do what.
- Azure Policy: Controls what can be done.
- Understand Policy effects: Deny, Audit, Append, DeployIfNotExists.
- Know scope levels: Management group â Subscription â Resource group â Resource.
- Remember Initiatives are just collections of policies.
- Be able to identify scenarios:
- Restrict VM sizes â Cost control
- Require encryption â Security
- Enforce tags â Resource organization & cost management
- Know how to monitor compliance in Azure Portal.
Summary Table
| Feature | Purpose | Example |
|---|---|---|
| Policy Definition | Define the rule | Only allow certain VM sizes |
| Initiative (Policy Set) | Group multiple policies together | Security initiative with encryption + monitoring |
| Assignment | Apply policy/initiative to a scope | Subscription or Resource Group |
| Effects | Decide what happens if rule violated | Deny, Audit, Append, DeployIfNotExists |
| Compliance | Monitor if resources follow the policy | Reports VMs missing required tags |
Azure Policy is essential for governance, security, and compliance in Azure. For the AZ-104 exam, focus on definitions, assignments, initiatives, effects, and compliance monitoring.
