Configuring and managing Azure Policy is a crucial topic when preparing for the “AZ-104 Microsoft Azure Administrator” exam. This post walks you through some of the core concepts related to Azure Policy and why it is an essential tool for Azure administrators.

Table of Contents

I. Understanding Azure Policy

Azure Policy is a vital service in Azure that assists you in maintaining organizational control and governance in your Azure environment. It permits you to create, assign, and manage policies that enforce different rules and effects over your resources, ensuring those resources stay compliant with your corporate standards and service level agreements.

Azure Policy does this by running evaluations of your resources, scanning for those not compliant with the policies you have implemented. This makes it very useful for enforcing a specific regulatory compliance framework across an entire Azure environment.

II. Configuring Azure Policy

The primary use of Azure Policy involves the configuration of policy definitions and assigning those policy definitions at a specific scope.

a. Policy Definitions

A policy definition expresses what to evaluate and what action to take. For instance, you might establish a policy to prohibit account administrators from creating network security groups.

As an example, below is a simplified version of a policy definition expressed in JSON:

{
“mode”:”All”,
“policyRule”: {
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Network/networkSecurityGroups”
},
{
“field”: “Microsoft.Network/networkSecurityGroups/location”,
“equals”: “westus”
}
]
},
“then”: {
“effect”: “audit”
}
}
}

b. Scope of Assignments

You can apply policy definitions to resource groups, subscriptions or even a management group that spans your whole organization. When a policy is assigned, it gets enforced on all its child resources within that scope. For example, if you assign a policy at a subscription level, the policy gets enforced on all resource groups and resources within that subscription.

III. Managing Azure Policy

Managing Azure Policy involves tracking your resources’ compliance status and working to remediate any non-compliant resources to bring them back to a compliant state.

Azure provides a lovely overview dashboard that shows the compliance state of all your resources.

a. Remediation

The auto-remediation settings enable you to enforce compliance with your policies. Some policies have automatic remediation, like ensuring a specific tag exist on a resource. If a resource does not have the defined tag, Azure Policy could be set to create it automatically.

b. Compliance Reports

Compliance reports can be created manually or automatically to help you keep in line with your specific compliance requirements. These reports are useful not just for auditing purposes, they also assist in tracking and monitoring your ongoing compliance efforts.

By properly configuring and managing Azure Policy, you can effectively keep your environment safe and compliant, as well as managing costs and standardizing your resources. This is crucial knowledge for any aspiring Azure administrators prepping for the AZ-104 exam.

Practice Test

True or False: Azure Policy allows you to create and manage company policies at various scopes.

  • True
  • False

Answer: True

Explanation: Azure Policy can be scoped to manage policies at the level of the management group, subscription, and resource group, allowing greater flexibility and control.

Which Azure Policy effect allows the modification of existing resources?

  • A. Append
  • B. Deny
  • C. DeployIfNotExists
  • D. Modify

Answer: D. Modify

Explanation: Modify effect inside Azure Policy lets you make changes to existing resources to match the policy definitions.

True or False: In Azure Policy, you cannot use custom policy definitions.

  • True
  • False

Answer: False

Explanation: Azure Policy allows you to use built-in policy definitions as well as custom policy definitions.

The _____________ scope in Azure Policy allows applying a policy to all Azure resources across multiple subscriptions.

  • A. Subscription
  • B. Management group
  • C. Resource group
  • D. Tenant

Answer: B. Management group

Explanation: The Management group scope in Azure Policy allows you to apply a policy to all resources in multiple subscriptions.

Multiple Select: Which of the following are built-in effects in an Azure policy definition?

  • A. DeployIfNotExists
  • B. AuditIfNotExists
  • C. Delete
  • D. Audit

Answer: A. DeployIfNotExists, B. AuditIfNotExists, D. Audit

Explanation: The built-in effects in an Azure policy definition are Audit, Deny, DeployIfNotExists, AuditIfNotExists, and Disabled.

True or False: Azure Policy can enforce tags and values on resources.

  • True
  • False

Answer: True

Explanation: Azure Policy can enforce the use of tags and their specific values on Azure resources.

In Azure Policy, policy assignments have the _______ level of precedence.

  • A. Highest
  • B. Lowest

Answer: A. Highest

Explanation: Policy assignments are the actual implementation of policy definitions and have the highest level of precedence in Azure Policy.

True or False: Azure Policy cannot be used to set permissions and RBAC settings.

  • True
  • False

Answer: False

Explanation: Azure Policy can define permissions and RBAC settings on resources, helping to manage access control.

Which Azure Policy effect allows resources to be created but flags them for review?

  • A. Append
  • B. Auditing
  • C. Deny
  • D. AuditIfNotExists

Answer: B. Auditing

Explanation: The Auditing effect in Azure policy allows resource creation but marks them for review based on the policy rule.

True or False: Azure Policy allows compliance checking for only Azure resources.

  • True
  • False

Answer: False

Explanation: Azure policy allows compliance checking for Azure resources and Azure DevOps pipelines, and even data in Azure storages, to provide a holistic compliance solution.

In an Azure policy definition, which section describes the necessary conditions for the policy to take effect?

  • A. Parameters
  • B. If-then condition
  • C. Policy rule
  • D. Effects

Answer: C. Policy rule

Explanation: Policy rule describes the conditions under which the policy should take effect and the subsequent effect that should take place when the policy rule is evaluated for the target resources.

True or False: Azure Policy evaluates policies in real time.

  • True
  • False

Answer: True

Explanation: Azure Policy performs policy evaluation for every create or update operation on resources, allowing real-time enforcement.

Which term refers to a combination of conditions in Azure Policy that, when satisfied or unsatisfied, trigger the policy’s effect?

  • A. Policy Rule
  • B. Policy Assignment
  • C. Policy Effects
  • D. Policy Parameters

Answer: A. Policy Rule

Explanation: A policy rule in Azure Policy refers to a combination of conditions that when satisfied or not satisfied, trigger the effect defined in the policy.

Which Azure policy effect prevents certain resource operations from being performed by users?

  • A. Audit
  • B. Deny
  • C. Delete
  • D. Modify

Answer: B. Deny

Explanation: The Deny effect in Azure policy prevents specific resource operations from being carried out by users.

True or False: The Azure Policy service is region-specific.

  • True
  • False

Answer: False

Explanation: Azure Policy is a global service and is not tied to any specific region. It applies to all resources across all the regions in a subscription.

Interview Questions

What is Azure Policy?

Azure Policy is a service in Azure used to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

How is Azure Policy different from Azure Role-Based Access Control (RBAC)?

Azure RBAC is focused on user actions at different scopes, while Azure Policy focuses on resource properties during deployment and for already-existing resources. Azure Policy is a default allow and explicit deny system, while Azure RBAC is a default deny and explicit allow.

What is the role of the ‘Assignments’ in Azure Policy?

An assignment is the association of a definition to a specific scope for enforcement. That scope could range from a management group to a resource group.

What is a policy definition in Azure?

A policy definition expresses what to evaluate and what action to take. For example, you could enforce a rule that storage accounts must have secure transfer required enabled.

What is the purpose of using ‘Parameters’ in Azure Policy definitions?

Parameters help to simplify your policy management by reducing the number of policy definitions. It makes it easy to reuse the definition for different scenarios and contexts.

What is ‘Compliance’ in Azure Policy, and how is it useful?

Compliance in Azure Policy is an aggregation status of your resources with the assigned policies. It shows the compliance state of the resources, whether they are in line with the assigned policies or not. This allows users to assess the overall state of the environment and to track down non-compliant resources.

What is Azure Policy’s ‘Deny’ effect?

The ‘Deny’ effect in Azure Policy is used to block any actions during a resource operation that violate policy.

What is the ‘Audit’ effect in Azure Policy?

The ‘Audit’ effect allows the resource operation but flags it as non-compliant in the policy compliance results.

How can I create a custom policy definition in Azure?

You can create custom policy definitions by using the Azure portal, Azure PowerShell, Azure CLI, or REST API. You define the rules in a JSON file, specifying the condition under which it’s enforced, and the explicit or not explicitly defined effect.

What’s the ‘DeployIfNotExists’ effect for Azure Policy?

The ‘DeployIfNotExists’ effect is used to provide a template that deploys if it doesn’t exist. In other words, if a specific condition is not met, the policy engine will deploy the necessary resources.

What is a Management Group in Azure Policy?

In Azure Policy, a management group is a level of scope above subscriptions. It allows you to organize your subscriptions and apply your governance conditions to the management group, and all subscriptions within the management group inherit the conditions.

Can I use Azure Policy to remediate non-compliant resources?

Yes, Azure Policy provides remediation tasks to automatically remediate non-compliant resources. However, not all non-compliant resources can be automatically remediated.

Can Azure Policy discover resources in Azure that are not compliant with the policy?

Yes, Azure Policy continuously audits resources in Azure for non-compliance with assigned policies. Non-compliant resources are identified with a policy compliance state of ‘Non-compliant’.

Can Azure Policy apply to resources across multiple Azure subscriptions?

Yes, a policy can be assigned to a management group, which can contain multiple subscriptions. The assigned policy applies to all resource groups and resources in those subscriptions.

Can I use Azure Policy to limit the Azure regions that my organization can deploy resources to?

Yes, you can use Azure Policy to restrict the Azure regions that your organization can create resources in. You can do this by using a built-in policy definition that restricts the locations in which resources can be created.

Leave a Reply

Your email address will not be published. Required fields are marked *