Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Azure Policy ====== * [[https://learn.microsoft.com/en-us/azure/governance/policy/overview|Azure Policy]] * Azure Policy helps to enforce organizational standards and to assess compliance at-scale. * Policies can be grouped together into //Initiatives// (aka //policySets//). * Azure Policy Guest Configuration agent is the service that runs on a VM to audit and remediate configuration issues ===== Examples of Using Policy ===== * Require newly created resources to have certain tags. * Disallow creation of certain resource types * Constrain the regions where resources can be deployed * Require virtual machines to be configured with encryption at rest for disk storage ===== Policy Evaluation ===== Times or events when policies are evaluated: * A resource is created or updated in a scope with a policy assignment. * A policy or initiative is newly assigned to a scope. * A policy or initiative already assigned to a scope is updated. * During the standard compliance evaluation cycle, which occurs once every 24 hours. ==== Evaluation Response ==== Options for responding to compliance issues: * Deny the resource change * Log the change to the resource * Alter the resource before the change * Alter the resource after the change * Deploy related compliant resources * Block actions on resources ==== Effect Order Of Evaulation ==== There is an order of precedence for the possible policy //effects//. * [[https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics#order-of-evaluation]] * disable * append and modify * deny * The Deny effect prevents a resource from being created or modified (including deleted) if it violates a policy rule. * audit * manual * auditIfNotExists * denyAction * It prevents the deletion of resources that match a specified condition, such as a specific resource type or tag value. <callout type="info"> //Deny// effect applies to all actions (create, update, delete), while //DenyAction// effect only applies to deletion actions. * Use Deny effect when you want to block all unauthorized actions (create, update, delete) on a resource that does not support tags and locations. * Use DenyAction effect when you want to specifically prevent the deletion of resources that support tags and locations, such as virtual networks or storage accounts. </callout> azure/azure_policy.txt Last modified: 2024/10/04 14:13by mmuze