Hello and welcome back to Cyber Aires. Microsoft Azure Administrator A Z 103 course I'm Will Carlson. And this is Episode nine about policies In today's episode, we're going to look at a policy definition and how they enforce compliance.
We're gonna apply that policy definition with an assignment to inappropriate scope.
We're also gonna discuss the schema of a policy definition. So the Jason Template that makes a policy definition work,
we're gonna get right into portal. And I want to point out as we get going that there are oftentimes a number of different ways to access what you want to access here within portal.
Right now, we could to get the policy, go to subscriptions
when I click one here in this free trial and you can see here that policy is an item in this section of the blade.
I could also go to resource groups,
pick a resource group, and I can see that policy is also an option here. 1/3 option would be to come to all service is
and search for policy, and I could navigate to policy that way as well. There's not a wrong way to get to it. But rest assured, if I get toe a particular item in azure that you're not familiar with, it's likely just a different way to get to the exact same thing.
We're gonna jump in here to this get started blade here in policy, and I recommend you look through this click around, make sure all of this makes sense to you. It really is a great high level view of what policy is all about an azure.
But for us to get started, we're gonna go ahead and you a policy definition. Now
a policy definition is going to be the rule set of what you want to happen or want to prevent within azure.
And this is a list of all of the policy definitions. Now, one thing to note these air, not policies, will. What's up? Well, the's air initiatives and initiatives are just a simple way to bundle policies together so that you don't have to deploy policies individually. One at a time.
You may have five or six policies that affect the location of resource is within your azure environment.
You want a bundle? Those up is an initiative and deploy those and manage those all at once. So an initiative is just a bundle of policies and you can see that Illustrated here in Azure. So this particular initiative has 87 policies bundled in it.
You clearly wouldn't want to deploy those one at a time. You wouldn't want to remember which policies made up this initiative tohave to deploy them
But to get started, we're actually gonna look at just a policy definition
so we can filter that there. You can also search. I'm gonna go ahead and search for location.
What we're gonna look through here is the policy for preventing or Onley allowing resource groups from certain locations also known as regions.
And this is the Jason for that policy definition.
Now, a couple of the things I want to call out here that are of particular importance to this policy definition are going to be First of all is the mode.
There are two options here from mode all and indexed all does just what it says. That policy can be applied to. All resource is and will be
that you're applying to
index is going to single out and only apply the policy to resource is that support tags and locations.
This is particularly important because there are some resource is resource types and azure that don't aren't location bound. So there are some that are global in nature. And you wouldn't want to try toe enforce a policy on a global resource that limited it to a particular location. It would not have the desired outcome that you want.
all an index are the two options promote
parameters are gonna be just like they were four hour armed template gonna be things that are said it run time
so you can reuse this policy definition
in more than one instance.
Then we get down into the policy rule. The real heart of this policy and the Policy Rules section is going to be an if then block. So if these things are true or not, depending on how you set this, then we want you to do this effect. In this case, we want all of these things
to be true. So as long as our location is not in this list of allowed locations, which we set the A parameter
and it is not a resource group or it sorry, it is a resource group,
then we're going to deny it. So all this policy does is, say, if it's not in the allowed locations and it's a resource group deny
There are a number of effects that are possible here other than Deny denies. Gonna do exactly what it says. It's gonna deny you the ability to create a resource group. That doesn't mean our policy. It's also gonna log that and the activity log that that was attempted
audit is another option here that's just gonna log the attempt. It will let it be done, but it's gonna log that it was done.
Upend is another option here, and that's going to add a fields to the request. A common example would be you wanted to make sure a tag gets added to every resource you would upend that tank.
There's audit. If not exists. So is if these resources don't exist, create them and make an audit log
deploy if not exists. If these resource is don't exist already, then go ahead and deploy them and then disabled is the last effect, and that's just it. It's disabled. It's not going to hurt.
So now how do we assign this policy. And what is the policy assignment mean? So too
make policy work In Azure, you have to have the policy definition, which is what we looked at.
You assign that policy to a given scope.
Now, let's do this a little differently. We're gonna come here to subscriptions. I'm gonna pick my free trial subscription, and I'm gonna click on policy.
I'm going to assign a policy,
and you can see that we're already scoped into the free trial. And that's because that's how I navigated to hear if we had done this from the policy blade. It would have asked me, what scope did I want to use
now? These exclusions air Just that if there are certain resource is within this subscriptions or resource groups that I don't want this policy to apply to, I can exclude them here.
This is the policy definition. So we're gonna go ahead and filter this space on location
allowed locations for resource group and hit select.
I'm gonna put a description. It's not required. And then here I'm going to select
the locations or regions that are allowed. And just for the sake of illustration, I'm gonna go ahead and select
Korea Central. That's all that was allowed.
And I'm gonna go ahead and hit a sign,
and that's applied that policy to this subscription. Now again, we're at the subscription level, and the policy has applied to my free trial subscription, So my pay as you go subscription does not have to deal with this policy.
One thing to illustrate here is the component in the concept of management groups
before management groups existed. If I wanted to apply the same policies to all of my subscriptions, you have to do it one at a time.
Management groups allow me to put an organizational unit above my subscriptions and apply policy toe. All of them all at once
highly recommend you doing that for consistency sake across an organization. But it's not required.
What we can see here is that Azure is applying this policy to all of the resources that are currently in this subscription. Now you can see that it's not started yet.
It will take azure up to an hour to apply this policy across. All of my already deployed resource is in this subscription that's important to note
or compliance policy can take up to an hour to apply.
Now, if I want to go in and create a resource group within this
subscription, let's do just that.
Resource groups, Let's add one.
We're gonna leave it in free trial. We're gonna call this test
and we're gonna deploy this to Central us. That's clearly not in the region that was allowed. I'm gonna hit, review and create
validation past, and we're gonna create that resource,
So although policy takes some time to apply for compliance, it applies immediately for new resource is and resource updates. So since I tried to deploy this in an unsupported region, it's going to fail. It's gonna give me some details about why that failed and what policy really affected me.
And it logs that away.
And it did not create that resource group
Now to complete the loop for managing policy. Let's go back to subscriptions. We're gonna go back to free trial into the policy blade.
And if I want to delete this policy, I can click here, delete the assignment,
and that policy definition is gone.
So in today's episode, we talked about how we set up policies with policy definitions a bit about the Jason options that air there, so you can understand those as you go forward.
But we also talked about taking a policy definition creating a policy assignment and that that is applied to the given scope. And that scope could be a management group, a subscription, a resource group or even down at the resource level itself.
Coming up in the next episode, we're gonna talk about how we very broadly can prevent things from happening to. Our resource is an azure via locks, and
also the concept of moving resource is around an azure to get him where we want them to be.
Thank you so much for joining me today. I look forward to talking more with you in the next episode.