Differences

This shows you the differences between two versions of the page.

--- azure:azure_policy [2024/08/26 19:37] – [Policy Evaluation] mmuze
+++ azure:azure_policy [2024/10/04 14:13] (current) – [Effect Order Of Evaulation] mmuze
@@ Line 2: / Line 2: @@
   * [[https://learn.microsoft.com/en-us/azure/governance/policy/overview|Azure Policy]]
     * Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
-  * Policies can be grouped together into //Initiatives// or //policySet//.
+  * Policies can be grouped together into //Initiatives// (aka //policySets//).
   * Azure Policy Guest Configuration agent is the service that runs on a VM to audit and remediate configuration issues
@@ Line 27: / Line 27: @@
   * Block actions on resources
+==== Effect Order Of Evaulation ====
+There is an order of precedence for the possible policy //effects//.
+  * [[https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics#order-of-evaluation]]
+  * disable
+  * append and modify
+  * deny
+    * The Deny effect prevents a resource from being created or modified (including deleted) if it violates a policy rule.
+  * audit
+  * manual
+  * auditIfNotExists
+  * denyAction
+    * It prevents the deletion of resources that match a specified condition, such as a specific resource type or tag value.
+<callout type="info">
+//Deny// effect applies to all actions (create, update, delete), while //DenyAction// effect only applies to deletion actions.
+  * Use Deny effect when you want to block all unauthorized actions (create, update, delete) on a resource that does not support tags and locations.
+  * Use DenyAction effect when you want to specifically prevent the deletion of resources that support tags and locations, such as virtual networks or storage accounts.
+</callout>