Policy Definitions, Assignments and Parameters
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 5 minutes
the process of implementing azure policy has three steps
defining the policy where you describe what the policy conditions and effects are.
Assigning the policy where you describe the scope at which the policy will take place. As we mentioned, the scope can vary from management group to subscription, resource group or individual resource, and once the policy is assigned,
it is continuously evaluated against the properties of the resource is that are within the scope and reports are generated.
Let's look at how the policy definitions are created.
Policy definitions are Jason Files that have defined schema.
Each definition contains the following elements
mode. There are two types of modes.
Resource manager modes and resource provider modes.
The Resource Manager modes can all be for evaluating all resource groups and resource types or indexed for evaluating Onley resource types that support tags and locations.
The resource provider nodes are still in preview mode, and there are only three resource provider modes. Currently,
Microsoft Container Service Data,
Microsoft Kubernetes Data
and Microsoft Keeve all data for managing vaults and certificates.
The next element is the parameters element.
The parameter has a name type of metadata as well as an optional default value and allowed values Properties
parameters help you simplify the policy management by reducing the number of policies you need to create and reuse those policies for different scenarios.
The parameters can be specified at the time of policy assignment as well.
The default value is used in case the parameter is not explicitly specified during assignment.
The allowed values can restrict what values could be specified at the time of the assignment.
Parameters are also used in the rule section, which we will discuss shortly.
Next. There are display names and descriptions for the policies.
Those are user friendly names and descriptions that you will see in the azure management portal, for example,
and it is useful to identify and understand the purpose of the policy. In the reports,
Display name is limited to 128 characters, while the description is limited to 512 characters.
Last is the policy rule, which is the most important part of the policy.
It consists of one arm or if then blocks the if block contains one or more conditions that determine when the policy is enforced,
you can use logical operations in the if block
the then block determines what the effect is. If the condition in the if block is fulfilled,
there is an extensive list of logical operators and conditions that you can use in the F block.
We will look more into the grimmer details later in this course when we develop a custom policy. But for now, it's enough to know that you have a lot of flexibility in the if block that allows you to create all kinds of conditions.
You can also use various effects in the den block.
You can deny actions. If the policies violated, you can modify resource properties with a pen or modify,
or you could just audit properties and so on.
Once again, we will look into details later in the course.
One important thing to remember is that policies have an explicit deny action.
This is important to know when you design your policy structure and assign it to a scope.
Let's see now what you can do once you have the policy definition.
As we mentioned before,
the policy can be assigned to take place within a specific scope Management group. Subscription resource group and individual resource
scope refers to all the management groups, subscriptions, resource groups and resource is that the policy definition is assigned to
assignments are inherited by all. Child resource is
for our example. The policy definition is assigned to the management group. All subscriptions and the resource group and resource is
that are within this management group will have the policy.
However, you can exclude the sub scope from the policy assignment.
if you want to deny the creation of a specific resource and subscription but allow its creation in just a single resource group, you can exclude the resource group from the policy.
One typical example is if you want to have a single veena for a subscription and prevent developers creating Venus and other resource groups except the networking resource group,
you can exclude the networking research group from the scope, and you can grant access on Lee to specific users to create. Resource is in that group.
In the next video, we will look at how you can combine policies and apply them together as initiatives