Azure Policies from the start!

Welcome to my first-ever technical article! ?? In this post, I’ll be delving into Microsoft Azure Policies, an essential tool for implementing governance and ensuring compliance in the cloud.

As engineers, we’re often juggling complex systems, and understanding tools like Azure Policies can make a world of difference. My aim with this article—and future ones—is to share insights, practical tips, and real-world applications to help fellow engineers navigate challenges and achieve success.

This post is part of what I hope will become a long series of technical deep dives. Your feedback, thoughts, and questions are incredibly valuable, so don’t hesitate to share them. Together, let’s grow and learn as a community.

Let’s get started! ??

Governing Azure using custom policies

Microsoft Azure comes with a wide range of built-in policies. However, there are times when you need a specific policy that isn’t available out of the box. In such cases, you may need to create a custom policy to meet your requirements.

Starting with custom policy development can feel challenging at first, so I’ve created this blog post to guide you through the process of creating and using custom policies effectively.

This first article focuses on the very basics, things like; ‘Remediation’, Nested logic and more advanced features are for the upcoming articles!

Before we dive in, let’s go over some key concepts!

The evaluation engine

?Policies in Azure are assessed by the Azure policy evaluation engine, which follows a “top-down” approach. In this method, if the condition is not met, the engine stops further evaluation, and the resource is deemed "Compliant."

An essential part of this evaluation process is understanding that all resources within Azure are considered “compliant” by default until a policy determines otherwise. Policies, therefore, define what a resource should look like when it is non-compliant.

?The evaluation process within Azure is automated and typically occurs every 24–48 hours, meaning it can take this long for policies to be fully evaluated. New resources, however, are immediately evaluated upon creation.?

If you prefer not to wait for the automated process, you can manually initiate the evaluation process using the Azure CLI command below. You can even limit this evaluation to a specific resource group if desired.

Start-AzPolicyComplianceScan -Resourcegroup {resourcegroup_name}        

Terminology to understand

In IT, we're experts in abbreviations, terminology, and organizing concepts into groups—and Azure policies are no exception! The following section provides an overview to clarify the various terms and categories used in Azure policies.

Definition

The policy definition is the actual policy logic. It contains the code to determine if a resource should be considered ‘non-compliant’

A definition needs to be assigned to a certain scope to work properly. Examples of a scope are:

·??????? Resource group

·??????? Management group

·??????? Subscription?

Assignment

An assignment essentially activates a policy definition (or group of policies), putting it to work on a chosen scope. Resources are then evaluated top-down, starting from the level at which the definition is assigned.

Initiative

A collection of policies is called a policy set or initiative. This grouping allows you to evaluate resources collectively, making policy management more efficient. Instead of assigning individual policies one by one, you can take a more granular, organized approach, assigning policies in a simplified, consolidated format. This method significantly reduces the administrative effort required to manage multiple policies.

Exemptions

As IT professionals, we sometimes create generic policies intended to cover all resources within their assigned scope. However, there are times when we need to exclude specific resources from policy evaluation. In such cases, we can create exemptions to ensure that these resources are no longer evaluated by the policy.

From top to bottom

Now that we have covered the basics, we can move to the next phase of the evaluation process. In this phase, resources are actively assessed, and if they meet all specified conditions, they are flagged as "non-compliant". (keep note, effect-mode and complexity of the policy is also involved here, more on this in one of the upcoming articles!)

Let’s take the screenshot below as reference for evaluating policies:

Now we take a policy definition like the one below:

The key components to note are parameters and policy rules. Together, these define the effectiveness of our policy.

When the policy evaluation engine runs, it takes the policy from its assignment—let’s assume it's assigned at the resource group level. The engine then checks each resource in the group against the policy. But hold on—there's a condition in the definition that controls when the policy becomes effective!

"The allOf condition specifies that all criteria within the collection (indicated by [ ]) must be met for a resource to be considered non-compliant. For instance, if the policy evaluation engine targets the resource type 'Virtual Machine,' the policy evaluation halts because the first condition (`Type` equals Microsoft.Storage/storageAccounts) does not match the targeted resource in the resource group. Consequently, the resource is immediately marked as 'compliant' with respect to this policy."

The next condition is only evaluated when the targeted resource is of the type ‘Microsoft/Storage/Storageaccounts’. Which in our case is to validate if public access is enabled.

This is a property of the object ‘Microsoft.Storage/StorageAccounts’. Such properties can be found using the API explorer, the Microsoft documentation or the JSON extract in the portal when looking at the resource. But also in Azure itself you can find it by looking at the Azure Graph Resource explorer (definitely worth checking out this one!)

If the property value is not set to False, only then are the two statements in the policy definition honored. This means the resource will be marked as 'non-compliant' and the effect specified in the 'then' block will be applied.

Wrapping it up

This provides an overview of how Azure policies are implemented, how to combine multiple policies into a cohesive set, and how the evaluation process works. For engineers like me, understanding the underlying mechanics is invaluable for gaining a deep insight into the technology.?

At Itility, we’re big on effective policy management, and since we’re dedicated to automation, we’ve developed a framework that automates all our Azure policies, initiatives, and assignments to fully govern an Azure deployment. Interested in exchanging experiences? Let’s connect!