Part 6: Azure Policy
Source: John Savill's Azure Master Class v3 - Part 3: Governance
Video Timestamps: 1:18:00 - 1:32:00
AZ-104 Relevance: ⭐⭐⭐⭐⭐ CRITICAL - Heavily tested
What is Azure Policy?
Azure Policy enforces rules on resources. Unlike RBAC (WHO can do WHAT), Policy controls HOW resources can exist.
Key Concept: Even an Owner can be blocked by Policy!
Policy Flow
Policy Definition
A definition is the rule written in JSON.
Structure
{
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deny"
}
}Translation: IF resource type is storage account, THEN deny.
Fields You Can Check
| Field | Example |
|---|---|
type | Resource type (Microsoft.Storage/storageAccounts) |
location | Region (eastus, westeurope) |
tags | Any tag value |
properties.* | Any resource property (SKU, settings) |
Policy Effects
| Effect | Behavior |
|---|---|
| Deny | Block non-compliant creation/update |
| Audit | Allow but flag as non-compliant |
| AuditIfNotExists | Audit if related resource missing |
| DeployIfNotExists (DINE) | Auto-deploy missing related resource |
| Modify | Change properties during create/update |
| Disabled | Policy exists but doesn't run |
| Append | Add properties (deprecated, use Modify) |
Evaluation Order
Important: Deny is evaluated BEFORE the resource is created. DINE runs AFTER.
Common Policy Scenarios
| Scenario | Effect | Example |
|---|---|---|
| Block public storage | Deny | Prevent storage with public access |
| Require tags | Deny | Must have costCenter tag |
| Allowed locations | Deny | Only eastus and westeurope |
| Audit unencrypted | Audit | Flag VMs without disk encryption |
| Add tags | Modify | Auto-add createdBy tag |
| Deploy diagnostics | DINE | Auto-enable logging |
Policy Assignment
A definition does nothing until assigned.
Assignment Components
| Component | Description |
|---|---|
| Policy/Initiative | What rule(s) to apply |
| Scope | Where (MG, Sub, RG) |
| Exclusions | What to skip |
| Parameters | Values for the policy |
| Non-compliance message | Custom error text |
Assignment Flow
Initiatives (Policy Sets)
An initiative bundles multiple policies together.
Why? Easier to assign one initiative than 50 individual policies.
Built-in Initiatives
| Initiative | Purpose |
|---|---|
| Azure Security Benchmark | Microsoft's security best practices |
| CIS Benchmark | Industry security standard |
| ISO 27001 | Compliance framework |
| NIST SP 800-53 | US government standard |
Policy Exemptions
When a resource legitimately can't comply, use an exemption.
Exemption Types
| Type | Duration |
|---|---|
| Waiver | Permanent exception |
| Mitigated | Compliance achieved another way |
Exemptions can have expiry dates.
Policy Evaluation
When Policies Run
| Trigger | Timing |
|---|---|
| Resource create/update | Immediate |
| Policy assignment | Within 30 minutes |
| Full evaluation cycle | Every 24 hours |
| On-demand | Manual trigger |
Compliance States
| State | Meaning |
|---|---|
| Compliant | Passes all applicable policies |
| Non-compliant | Fails one or more policies |
| Exempt | Has an exemption |
| Unknown | Not yet evaluated |
Viewing Compliance
Portal → Policy → Compliance
Shows:
- Overall compliance percentage
- Non-compliant resources
- Which policies they fail
Remediation Tasks
For Modify and DINE policies, existing non-compliant resources need remediation.
How Remediation Works
- Policy deployed with DINE effect
- Existing resources flagged non-compliant
- Create remediation task
- Task runs to fix existing resources
- New resources auto-fixed at creation
Managed Identity Requirement
DINE and Modify policies need a managed identity to make changes. The identity needs permissions to perform the remediation actions.
Policy vs RBAC
| Aspect | RBAC | Policy |
|---|---|---|
| Controls | WHO can do actions | HOW resources must be configured |
| Deny | No deny capability | Can deny |
| Default | Deny (must grant access) | Allow (must add restrictions) |
| Applied to | Users/apps | Resources |
| Inheritance | Down the hierarchy | Down the hierarchy |
Remember: RBAC is about identity, Policy is about resources.
Mental Model
Policy = Building Code Inspector 👷
- You have permission to build (RBAC = building permit)
- But inspector checks: "Is this up to code?"
- Non-compliant? Can't build (Deny) or get flagged (Audit)
- Some inspectors auto-fix issues (Modify/DINE)
Initiative = Inspection Checklist 📋
- Multiple code requirements bundled together
- Pass the checklist = compliant building
AZ-104 Exam Tips
| Topic | Key Point |
|---|---|
| Policy vs RBAC | Policy = resources, RBAC = identities |
| Effects order | Disabled → Append → Modify → Deny → Audit → DINE |
| DINE | Runs AFTER resource creation |
| Initiative | Collection of policies |
| Exemption | Waiver (permanent) vs Mitigated |
| Compliance | Evaluated every 24 hours + on changes |
| Remediation | Required for existing resources with DINE/Modify |
Practical Exercises
Exercise 1: View Built-in Policies (5 min)
- Portal → Policy → Definitions
- Filter by Category:
Tags - Find "Require a tag on resources" - review the JSON
Exercise 2: View Compliance (3 min)
- Portal → Policy → Compliance
- See overall compliance percentage
- Click a non-compliant policy to see affected resources
Exercise 3: Assign a Policy (10 min)
- Portal → Policy → Assign policy
- Scope: Your test resource group
- Policy: "Allowed locations"
- Parameter: Select only one region
- Try creating a resource in a different region - watch it fail
End of Part 6