Table of Contents
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that enforce different rules over your Azure environments, ensuring your resources stay compliant with your corporate standards and service level agreements. Azure Policy accomplishes this by evaluating your resources for non-compliance with assigned policies. As an Azure Administrator preparing for the AZ-104 exam, understanding how to configure and manage Azure Policy is crucial.
Azure Policy Definitions express the rules that your resources need to comply with. They can enforce rules, like ensuring all resources are in a specific Azure region or that only certain types of virtual machines can be created.
Policy Assignments are the application of a Policy Definition to a specific scope. This scope could range from a single resource group to an entire subscription. When a Policy Assignment is made, Azure Policy will automatically evaluate the resources within the scope to validate compliance.
To create a new policy definition:
For example, if you want to ensure all virtual machines use managed disks, the policy rule might look like:
{
“if”: {
“field”: “type”,
“equals”: “Microsoft.Compute/virtualMachines”
},
“then”: {
“effect”: “audit”,
“details”: {
“type”: “Microsoft.Compute/disks”,
“existenceCondition”: {
“field”: “Microsoft.Compute/disks/createOption”,
“equals”: “Managed”
}
}
}
}
To assign a policy:
Once policies are assigned, Azure Policy will evaluate the resources and identify if they are compliant. You can view the compliance status by:
For ongoing compliance management, it’s often useful to enable the remediation of non-compliant resources automatically. To do this:
Azure Policy also supports advanced features like:
For example, an initiative might encompass policies to ensure audit logs are enabled for all services and that resources reside in specific regions.
For reporting purposes, Azure Policy integrates with Azure Monitor and Azure Activity Log. This lets administrators track policy assignments, changes, and compliance states.
You can also manage Azure Policy through Azure PowerShell. For example, to create a new policy definition:
$policyRule = @{
“if” = @{
“field” = “type”
“equals” = “Microsoft.Compute/virtualMachines”
}
“then” = @{
“effect” = “deny”
}
}
$policyRuleJson = $policyRule | ConvertTo-Json
New-AzPolicyDefinition -Name “EnforceManagedDisks” -DisplayName “Ensure Managed Disks” -Policy $policyRuleJson
And to assign this policy definition to a resource group, you would use:
$rg = Get-AzResourceGroup -Name “MyResourceGroup”
New-AzPolicyAssignment -Name “ApplyManagedDisksPolicy” -PolicyDefinition “EnforceManagedDisks” -Scope $rg.ResourceId
In conclusion, Azure Policy is an essential tool for Azure Administrators; it ensures governance and compliance across Azure resources. By understanding how to create, assign, and manage policies and initiatives in Azure, administrators can effectively monitor and enforce organizational standards.
True
Azure Policy can indeed be applied at various levels of Azure management hierarchy such as management groups, subscriptions, resource groups, and individual resources, allowing for fine-grained control over compliance.
False
Azure Policies are enforced on both existing resources and new resources once they are assigned. Policies evaluate the resources in real-time and during creation.
B) Azure Blueprint
Azure Blueprints allow you to define a repeatable set of Azure resources that implement and adhere to standards, patterns, and requirements, including grouping multiple related Azure policies.
True
Azure Policy includes a remediation feature that can automatically implement the necessary changes to make non-compliant resources compliant with the assigned policies.
C) A group of several Azure policies
In Azure Policy, an initiative is a collection of policies that are tailored towards achieving a specific goal or compliance requirement.
False
Azure Policy supports parameters in policy definitions. Parameters allow for the creation of more flexible and reusable policy definitions that can be customized for different scenarios.
B) DeployIfNotExists
The DeployIfNotExists effect is used in Azure Policy to deploy related resources if they do not already exist when the policy is evaluated.
False
Azure policies can have different effects including deny, audit, append, and other effects. The “deny” effect is just one possibility, and not all policies are set to “deny” by default.
B) Disable
Disable is not a valid effect in Azure Policy. The valid effects are Audit, Deny, Append, AuditIfNotExists, DeployIfNotExists, and Modify.
True
Azure Policy assignments are indeed inherited by child resources within the scope such as subscriptions, resource groups, or resources.
C) Assign a role with appropriate permissions
When leveraging a Managed Identity for remediation tasks in Azure Policy, you must assign it a role with the appropriate permissions needed to create or update the resources.
True
Test mode in Azure Policy allows you to see what impact a new policy or an updated policy would have on your resources without actually enforcing it, which is helpful for assessing the potential effects before full deployment.
Azure Policy is a service in Azure that allows you to create and manage policies to enforce compliance with organizational standards and regulations. It is important for organizations because it helps them ensure that their cloud environments are secure, compliant, and well-managed.
Some examples of policies that can be enforced using Azure Policy include resource naming conventions, resource tags, allowed resource types, and more.
To assign a policy in Azure Policy, you need to navigate to the Policies tab in the Azure portal. From here, you can create a new policy, or select an existing policy to assign. Once you have selected a policy, you can choose the scope at which the policy will be enforced (subscription, resource group, or resource), and configure any parameters that are required by the policy.
A policy definition in Azure Policy includes the policy rules that define the required compliance state.
A policy assignment in Azure Policy assigns the policy definition to a specific scope.
You can create and manage policies in Azure Policy using the Azure Policy API or PowerShell cmdlets.
A policy effect in Azure Policy is the enforcement action that is taken when a resource violates a policy. Examples of policy effects include deny, audit, or append.
You can view compliance status in Azure Policy by navigating to the Compliance tab in the Azure portal.
A policy initiative in Azure Policy is a collection of policy definitions that are meant to be applied together.
To create a custom policy in Azure Policy, you can create a policy definition using JSON format and assign it to a scope.
Yes, policies can be assigned to individual resources, as well as to resource groups and subscriptions.
To edit an existing policy assignment in Azure Policy, you can navigate to the policy assignment in the Azure portal and make the necessary changes.
A policy compliance assessment in Azure Policy is a report that shows the compliance status of resources with respect to the policies that are assigned to them.
A policy definition in Azure Policy is a single policy rule, while a policy initiative is a collection of policy definitions that are meant to be applied together.
To disable a policy in Azure Policy, you can navigate to the policy assignment in the Azure portal and change the enforcement action to “disabled”.
If this material is helpful, please leave a comment and support us to continue.