Azure Policy Limits and Guidelines
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 5 minutes
there are limits to the maximum counts of azure policy objects
as everything else in azure initiatives, policies and their elements are considered objects, and there are limitations of how many of those you can create.
The following table gives an overview of those limitations.
A few things to note here are first. The scope is either management group or subscription.
If your scope is a subscription, for example, you are limited to 500 policy definitions for this subscription, 100 initiatives and 100 assignments for the subscription.
Also note that you are limited to 1000 initiatives per tenant.
It doesn't mean that there is a limit to the policy definitions per tenant, but you are implicitly limited by the initiative limit.
Also, one important thing to remember is the limit of parameters for both the policy definition and the initiative definition.
You could have up to 20 parameters for a policy definition or Onley up to 100 foreign initiative.
This means that you need to carefully plan the parameters for your policies and initiatives.
Remember the C s initiative that had 84 policies in it.
If each policy has at least two parameters and you want to expose all these parameters as initiative parameters, you will exceed this 100 limit.
Let's look at some guidelines on how to manage your policies.
When you create your definitions and assignments, consider the organizational hierarchies.
It is better to create definitions at higher levels, for example, management group or subscription, and assigned them at the next child level.
For example, if you create a definition at a subscription level, you can scope the assignment down at the resource group level.
Create an assigned initiative definitions, even for a single policy definition.
If in the future you have a second policy that has similar goals, you could easily include it in the initiative and track both policies together.
Start with the audit effect instead of the deny effect
and track the impact of your policy on the resource is in your environment.
This way, you can learn how the resource is, are created and used, and will not hinder any manual or automated tasks.
Once you know what the impact of your policy is, you can start enforcing the policy