2 min read
Azure Policy: Governance at Scale
Azure Policy enforces standards and assesses compliance across your Azure resources. It’s the foundation of cloud governance.
Built-in Policies
# List built-in policies
az policy definition list --query "[?policyType=='BuiltIn'].{Name:displayName, Category:metadata.category}" -o tableCommon policies:
- Allowed locations
- Allowed VM SKUs
- Require tags
- Enforce encryption
Custom Policy
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": true
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}Effects
| Effect | Description |
|---|---|
| Deny | Block non-compliant creation/update |
| Audit | Log non-compliance |
| Append | Add fields (e.g., tags) |
| DeployIfNotExists | Deploy missing resources |
| Modify | Change resource properties |
| Disabled | Policy not enforced |
Policy Initiatives
Group related policies:
# Create initiative from multiple policies
az policy set-definition create \
--name "SecurityBaseline" \
--definitions '[
{"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/..."},
{"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/..."}
]'Assignment
# Assign to subscription
az policy assignment create \
--name "enforce-tags" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/require-tag" \
--params '{"tagName": {"value": "CostCenter"}}' \
--scope "/subscriptions/xxx"Compliance Dashboard
Azure Portal → Policy → Compliance shows:
- Overall compliance percentage
- Non-compliant resources
- Remediation tasks
Start with Audit effect, move to Deny once you understand impact.