Azure Resource Policies and Initiatives

Azure Policy, currently in preview, extends and enhances the governance and control capabilities that are available in Azure Resource Manager. Azure Policy allows administrators to create policies that can be used define a particular convention that is monitored for compliance or enforced. For example, Policies are can be defined to control the types of resources that can be deployed and what regions resources can be deployed. Another popular resource policies enforces tag keys and values.

Policy Settings

Microsoft provide a variety of common built-in policies such as:

  • Allowed / Not Allowed Resource Types
  • Allowed Locations
  • Enforce tag and values

Azure Policy is very powerful and very complex policies can be created. Here are a few more advanced policies that can be created. For more reference template see the following link

  • Allowed VM images
  • Enforce NSG on every subnet
  • Naming convention patterns

When a single policy is defined this simply called a policy, however it is possible to group multiple policies together into a single definition to allow for more multiple settings to be applied. This is done through the creation of an Initiative. An Initiative is simply two or more policies that have been grouped together and defined as an Initiative.

Policy Scope

Resource Policies can be scoped to the following:

  • Subscription
  • Management Group
  • Resource Group
  • Resource

Policy Enforcement and Compliance

There are 2 SKUs available with Azure Policy, Free and Standard. Free only applies to future resources, while Standard applies to existing resources and this also provides compliance state of those existing resources. There are few current caveats that apply to resources on existing resources. For example, currently Tags and Tag values that are defined in a policy or an initiative will only report that the resource is not compliant, and will not enforce the update of the Tag / Value.

If you try and create a resource that does not meet the policy that is defined then you will receive an error that validation has failed.

If you have set the SKU to Standard you will see the compliance state for the assignment. In the following example we can see the what policies within the Initiative are non-compliant and the count of non-compliant resources.

If we drill down further we can view exactly which resources are non-compliant.

As mentioned, Resource Tags and Values are not updated to reflect the policy and these will just be reported as non-compliant.

Microsoft have acknowledged that this is on the roadmap for policies to automatically trigger an append. In the meantime, the following script that has been supplied by Microsoft can simulate the policy update.

After running the supplied script the compliance state has updated to be compliant.