Implement and manage Azure Policy

Manage Azure subscriptions and governance

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

---

Azure Policy is a governance tool in Azure. It helps you control what can be created or changed in your Azure environment. Think of it as a “rule engine” that ensures all resources in your cloud follow your organization’s rules.

1. What is Azure Policy?

Azure Policy is a service that enforces rules for your Azure resources. It ensures compliance with your organization’s standards.

• Without Azure Policy, users can create anything anywhere, which can lead to security issues, cost overruns, or inconsistent configurations.
• With Azure Policy, you define rules, and Azure checks resources against them automatically.

Key points:

• It is different from role-based access control (RBAC). RBAC controls who can do what, while Azure Policy controls what can be done.
• Policies can deny, audit, or enforce resource configurations.

---

2. Key Components of Azure Policy

1. Policy Definition
   • This is the actual rule. It defines what is allowed or disallowed.
   • Examples of rules:
     • Only allow virtual machines of certain sizes.
     • Enforce tags on all resources for tracking.
     • Block creation of public IP addresses in certain subscriptions.
2. Initiative (Policy Set)
   • A collection of policy definitions grouped together.
   • Helps manage multiple policies at once.
   • Example: An initiative to enforce security standards might include:
     • Require encryption on storage accounts.
     • Block unapproved VM sizes.
     • Require specific tags.
3. Assignment
   • This is where you apply a policy or initiative to a scope.
   • Scopes can be:
     • Management group
     • Subscription
     • Resource group
     • Individual resource
4. Compliance
   • Azure Policy provides a compliance report showing which resources follow the rules and which don’t.
   • Example: If a policy requires all VMs to have monitoring enabled, the compliance report shows which VMs are non-compliant.

---

3. How Azure Policy Works

Azure Policy uses a JSON format to define rules. Each policy has two main parts:

1. Conditions (if/when) – Defines when the policy should be applied.
   • Example: “If a resource is a virtual machine…”
2. Effect (then) – Defines what happens if the condition is met or violated.
   Common effects include:
   • Deny – Blocks the action entirely.
   • Audit – Records non-compliance but allows the action.
   • AuditIfNotExists – Checks for required resources; logs if missing.
   • Append – Adds settings automatically to resources (e.g., add tags).
   • DeployIfNotExists – Automatically deploys resources or configurations if missing.

---

4. Common Scenarios in IT

Azure Policy is widely used to enforce standards and secure IT environments:

1. Enforcing resource naming conventions
   • Example: All VMs must start with “PROD-” or “DEV-”.
   • Prevents confusion in large environments.
2. Restricting VM sizes
   • Example: Only allow VM sizes that are approved for cost efficiency.
   • Helps control expenses and avoids oversized resources.
3. Require encryption
   • Example: All storage accounts must have encryption enabled.
   • Ensures data security compliance.
4. Tagging resources for cost management
   • Example: All resources must have a “CostCenter” tag.
   • Helps track expenses across departments.
5. Blocking public IP creation
   • Example: Prevent users from creating VMs with public IPs in certain subscriptions.
   • Increases security by reducing exposure to the internet.

---

5. How to Implement Azure Policy

1. Create a Policy Definition
   • Go to Azure Portal → Policy → Definitions → + Policy Definition
   • Choose Built-in policy or create Custom policy.
   • Define the rule (conditions and effect).
2. Create an Initiative (Optional)
   • Group multiple policies for easier management.
   • Example: A “Security Initiative” could include policies for encryption, monitoring, and restricted IPs.
3. Assign the Policy or Initiative
   • Assign it to a scope (subscription, resource group, or management group).
   • Optionally, set parameters (e.g., allowed VM sizes or required tags).
4. Monitor Compliance
   • Go to Policy → Compliance
   • Check which resources are compliant and which are non-compliant.
   • Take corrective actions if needed.

---

6. Built-in vs Custom Policies

• Built-in Policies
  • Azure provides many ready-to-use policies for common scenarios (security, cost, operations, compliance).
  • Example: “Require a tag on resources” or “Allowed VM sizes.”
• Custom Policies
  • Create your own JSON-based rules if built-in policies don’t meet your needs.
  • Example: Enforce naming convention: resourceName must start with “APP-”.

---

7. Exam Tips for AZ-104

1. Know the difference between:
   • RBAC: Controls who can do what.
   • Azure Policy: Controls what can be done.
2. Understand Policy effects: Deny, Audit, Append, DeployIfNotExists.
3. Know scope levels: Management group → Subscription → Resource group → Resource.
4. Remember Initiatives are just collections of policies.
5. Be able to identify scenarios:
   • Restrict VM sizes → Cost control
   • Require encryption → Security
   • Enforce tags → Resource organization & cost management
6. Know how to monitor compliance in Azure Portal.

---

Summary Table

Feature	Purpose	Example
Policy Definition	Define the rule	Only allow certain VM sizes
Initiative (Policy Set)	Group multiple policies together	Security initiative with encryption + monitoring
Assignment	Apply policy/initiative to a scope	Subscription or Resource Group
Effects	Decide what happens if rule violated	Deny, Audit, Append, DeployIfNotExists
Compliance	Monitor if resources follow the policy	Reports VMs missing required tags

---

Azure Policy is essential for governance, security, and compliance in Azure. For the AZ-104 exam, focus on definitions, assignments, initiatives, effects, and compliance monitoring.

---