Step 1: Policy Definition
First, we create a policy definition then we could also use existing definitions and
then
we could take multiple policies and create a policy definition.
Step 2: Policy Initiative
Once the policy definition is done, we need to create the initiative definition. We can
select
any number of policies we need and create a group to add the policies. Then we can
create
initiative parameters and policy parameters and finally we can create the initiative
definition.
Step 3: Scope the initiative definition
Azure Policy lets you control how your initiative definitions are applied to resources
in your
organization. You can limit the scope of the initiative definition to specific
management groups,
memberships, or resource groups.
Step 4: Determine compliance
After you assign an initiative definition, you can assess the compliance status of all
your
resources. Individual resources, resource groups, and subscriptions within a scope
can be
excluded from being affected by policy rules. Exceptions are handled individually for
each
assignment.
You can try this - - - -> Interactive lab simulation - Training | Microsoft
Learn
How are policies evaluated
The following are the times or events that cause a resource to be
evaluated:
● During the standard compliance evaluation cycle, which occurs once every 24
hours.
● A policy or initiative is newly assigned to a scope.
● A resource is created, updated, or deleted in a scope with a policy assignment.
● A policy or initiative already assigned to a scope is updated.
In Azure Policy built-in policy definitions:
● Allowed Storage Account SKUs (Deny): Determines whether a storage
account is
implemented in a set of SKU sizes. The effect is to reject all storage accounts that
do not
adhere to the defined set of SKU sizes.
● Allowed Resource Type (Deny): Defines the types of resources you can run.
The effect is to
deny all resources that are not part of this defined list.
● Allowed Locations (Deny): Restricts or limits the locations available for new
�resources. This
effect is used to implement your geo-optimized requirements.
● Allowed Virtual Machine SKUs (Deny): Specifies the set of virtual machine
SKUs you can run
and deploy.
● Add a tag to resources (Modify): Applies the required tag and its default
value if not specified
by the deploy request.
● Not allowed resource types (Deny): Prevents list of resource types from
deployed/ running.
--Back to Index-- 30
(Source: Microsoft Documentation)
Ex: All Azure Policy data and objects are encrypted at rest.
Once set up, we can see the non-compliant policies, and we will be able to remediate.
(Source: Microsoft Documentation)
Configuring Resource locks
Being an administrator, you can lock resource groups or resource Azure
subscriptions to protect
them from accidental user deletions and modifications. Such locks overrides any
user
permissions.
● In the portal - - - > These locks are called “Delete” and “Read-only”
● On the command line - - - > These locks are called “CanNotDelete” and
“ReadOnly”
● You can set locks that prevent deletions or changes.
You can use management locks to apply a restriction across all users and
roles instead of
role-based access control (RBAC). For, Considerations before applying your
locks,
Please refer to this → Protect your Azure resources with a lock - Azure
Resource Manager
1. Go to the Show portal Menu → Select any resource, resource group, or
subscription that
you wish to lock then
--Back to Index-- 31
2. Under the Settings blade you can see the “Locks”
3. You can click the Locks option if you want to add lock to any resource, etc.
4. You need to click the Add option. If you want to create a lock at the parent level,
select Parent.
The currently selected resource acquires the lock from the parent.
5. For example, you could lock the resource group to apply a lock to all its
resources.
6. Give the lock a name and lock level. Optionally, you can add notes describing the
�lock.
7. To delete the lock, select the Delete option/button