AZ-104 Microsoft Azure Administrator

Configure and manage Azure Policy

Tutorial / Cram Notes

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that enforce different rules over your Azure environments, ensuring your resources stay compliant with your corporate standards and service level agreements. Azure Policy accomplishes this by evaluating your resources for non-compliance with assigned policies. As an Azure Administrator preparing for the AZ-104 exam, understanding how to configure and manage Azure Policy is crucial.

Understanding Azure Policy Definitions and Assignments:

Azure Policy Definitions express the rules that your resources need to comply with. They can enforce rules, like ensuring all resources are in a specific Azure region or that only certain types of virtual machines can be created.

Policy Assignments are the application of a Policy Definition to a specific scope. This scope could range from a single resource group to an entire subscription. When a Policy Assignment is made, Azure Policy will automatically evaluate the resources within the scope to validate compliance.

Creating and Assigning Policies:

To create a new policy definition:

  1. Sign in to the Azure portal.
  2. Navigate to the ‘Policy’ service.
  3. Under ‘Authoring’, select ‘Definitions’.
  4. Click on ‘+ Policy definition’.
  5. Provide the necessary details for your policy, such as the name, description, and policy rule.
  6. Once completed, click ‘Save’.

For example, if you want to ensure all virtual machines use managed disks, the policy rule might look like:

{
“if”: {
“field”: “type”,
“equals”: “Microsoft.Compute/virtualMachines”
},
“then”: {
“effect”: “audit”,
“details”: {
“type”: “Microsoft.Compute/disks”,
“existenceCondition”: {
“field”: “Microsoft.Compute/disks/createOption”,
“equals”: “Managed”
}
}
}
}

To assign a policy:

  1. Go to ‘Policy’ service in the Azure portal.
  2. Under ‘Authoring’, select ‘Assignments’.
  3. Click on ‘+ Assign policy’.
  4. Select the scope (subscription, resource group, or resource).
  5. Choose the Policy Definition you created earlier.
  6. Set parameters if your policy definition requires them.
  7. Click on ‘Review + create’ to confirm the assignment.

Managing Compliance:

Once policies are assigned, Azure Policy will evaluate the resources and identify if they are compliant. You can view the compliance status by:

  1. Navigating to the ‘Policy’ service in the Azure portal.
  2. Selecting ‘Compliance’ from the sidebar.
  3. Here you can see the list of policies, their respective assignments, and the compliance state of each assignment.

For ongoing compliance management, it’s often useful to enable the remediation of non-compliant resources automatically. To do this:

  1. Select the non-compliant policy assignment.
  2. Click on ‘Remediation’.
  3. Select the non-compliant resources and click ‘Remediate’.

Advanced Features of Azure Policy:

Azure Policy also supports advanced features like:

  • Policy Initiatives (PolicySets): Grouping of policies that makes it easier for you to manage and assign collections of policies.
  • Exemptions: Allows specific resources to be exempt from one or more policy assignments.
  • Parameterization: Enables the creation of flexible policies that can take parameters for certain fields when they’re assigned.

For example, an initiative might encompass policies to ensure audit logs are enabled for all services and that resources reside in specific regions.

Monitoring and Reporting:

For reporting purposes, Azure Policy integrates with Azure Monitor and Azure Activity Log. This lets administrators track policy assignments, changes, and compliance states.

Example of Policy Management with Azure PowerShell:

You can also manage Azure Policy through Azure PowerShell. For example, to create a new policy definition:

$policyRule = @{
“if” = @{
“field” = “type”
“equals” = “Microsoft.Compute/virtualMachines”
}
“then” = @{
“effect” = “deny”
}
}

$policyRuleJson = $policyRule | ConvertTo-Json

New-AzPolicyDefinition -Name “EnforceManagedDisks” -DisplayName “Ensure Managed Disks” -Policy $policyRuleJson

And to assign this policy definition to a resource group, you would use:

$rg = Get-AzResourceGroup -Name “MyResourceGroup”
New-AzPolicyAssignment -Name “ApplyManagedDisksPolicy” -PolicyDefinition “EnforceManagedDisks” -Scope $rg.ResourceId

Best Practices:

  • Regularly review and update policy definitions.
  • Use policy exemptions judiciously.
  • Organize initiatives for easier management and assignment.
  • Start with audits before enforcing with ‘deny’ effects to understand impact.
  • Utilize built-in policies for common scenarios.

In conclusion, Azure Policy is an essential tool for Azure Administrators; it ensures governance and compliance across Azure resources. By understanding how to create, assign, and manage policies and initiatives in Azure, administrators can effectively monitor and enforce organizational standards.

Practice Test with Explanation

True or False: Azure Policy can be applied at multiple scopes including management groups, subscriptions, resource groups, and individual resources.

True

Azure Policy can indeed be applied at various levels of Azure management hierarchy such as management groups, subscriptions, resource groups, and individual resources, allowing for fine-grained control over compliance.

True or False: Once assigned, Azure Policies are enforced on existing resources but not on new resources.

False

Azure Policies are enforced on both existing resources and new resources once they are assigned. Policies evaluate the resources in real-time and during creation.

Which Azure service would you use to group together several related Azure policies?

  • A) Azure Automation
  • B) Azure Blueprint
  • C) Azure Logic Apps
  • D) Azure Monitor

B) Azure Blueprint

Azure Blueprints allow you to define a repeatable set of Azure resources that implement and adhere to standards, patterns, and requirements, including grouping multiple related Azure policies.

True or False: Azure Policy allows automatic remediation of non-compliant resources.

True

Azure Policy includes a remediation feature that can automatically implement the necessary changes to make non-compliant resources compliant with the assigned policies.

How is an initiative defined in Azure Policy?

  • A) A collection of Azure regions
  • B) A single JSON file
  • C) A group of several Azure policies
  • D) A script that audits Azure resources

C) A group of several Azure policies

In Azure Policy, an initiative is a collection of policies that are tailored towards achieving a specific goal or compliance requirement.

True or False: Azure Policy does not support parameters that can be used in policy definitions.

False

Azure Policy supports parameters in policy definitions. Parameters allow for the creation of more flexible and reusable policy definitions that can be customized for different scenarios.

Which Azure Policy effect would you use to create related resources upon policy assignment?

  • A) Append
  • B) DeployIfNotExists
  • C) Deny
  • D) Audit

B) DeployIfNotExists

The DeployIfNotExists effect is used in Azure Policy to deploy related resources if they do not already exist when the policy is evaluated.

True or False: All policies in Azure are default set to deny actions that would cause non-compliance.

False

Azure policies can have different effects including deny, audit, append, and other effects. The “deny” effect is just one possibility, and not all policies are set to “deny” by default.

Which of the following is NOT a valid effect in an Azure Policy definition?

  • A) AuditIfNotExists
  • B) Disable
  • C) Modify
  • D) Audit

B) Disable

Disable is not a valid effect in Azure Policy. The valid effects are Audit, Deny, Append, AuditIfNotExists, DeployIfNotExists, and Modify.

True or False: Azure Policy assignments are inherited by all child resources and resources within subscopes of the assignment.

True

Azure Policy assignments are indeed inherited by child resources within the scope such as subscriptions, resource groups, or resources.

Which of the following is a requirement for creating a Managed Identity in the context of Azure Policy?

  • A) Assign a user as an owner
  • B) Enable Azure AD Privileged Identity Management
  • C) Assign a role with appropriate permissions
  • D) Provide a certificate for authentication

C) Assign a role with appropriate permissions

When leveraging a Managed Identity for remediation tasks in Azure Policy, you must assign it a role with the appropriate permissions needed to create or update the resources.

True or False: Test mode in Azure Policy allows you to evaluate the impact of a policy without actually enforcing it.

True

Test mode in Azure Policy allows you to see what impact a new policy or an updated policy would have on your resources without actually enforcing it, which is helpful for assessing the potential effects before full deployment.

Interview Questions

What is Azure Policy and why is it important for organizations?

Azure Policy is a service in Azure that allows you to create and manage policies to enforce compliance with organizational standards and regulations. It is important for organizations because it helps them ensure that their cloud environments are secure, compliant, and well-managed.

What are some examples of policies that can be enforced using Azure Policy?

Some examples of policies that can be enforced using Azure Policy include resource naming conventions, resource tags, allowed resource types, and more.

How can you assign a policy in Azure Policy?

To assign a policy in Azure Policy, you need to navigate to the Policies tab in the Azure portal. From here, you can create a new policy, or select an existing policy to assign. Once you have selected a policy, you can choose the scope at which the policy will be enforced (subscription, resource group, or resource), and configure any parameters that are required by the policy.

What is a policy definition in Azure Policy?

A policy definition in Azure Policy includes the policy rules that define the required compliance state.

What is a policy assignment in Azure Policy?

A policy assignment in Azure Policy assigns the policy definition to a specific scope.

How can you create and manage policies in Azure Policy?

You can create and manage policies in Azure Policy using the Azure Policy API or PowerShell cmdlets.

What is a policy effect in Azure Policy?

A policy effect in Azure Policy is the enforcement action that is taken when a resource violates a policy. Examples of policy effects include deny, audit, or append.

How can you view compliance status in Azure Policy?

You can view compliance status in Azure Policy by navigating to the Compliance tab in the Azure portal.

What is a policy initiative in Azure Policy?

A policy initiative in Azure Policy is a collection of policy definitions that are meant to be applied together.

How can you create a custom policy in Azure Policy?

To create a custom policy in Azure Policy, you can create a policy definition using JSON format and assign it to a scope.

Can policies be assigned to individual resources in Azure Policy?

Yes, policies can be assigned to individual resources, as well as to resource groups and subscriptions.

How can you edit an existing policy assignment in Azure Policy?

To edit an existing policy assignment in Azure Policy, you can navigate to the policy assignment in the Azure portal and make the necessary changes.

What is a policy compliance assessment in Azure Policy?

A policy compliance assessment in Azure Policy is a report that shows the compliance status of resources with respect to the policies that are assigned to them.

What is the difference between a policy definition and a policy initiative in Azure Policy?

A policy definition in Azure Policy is a single policy rule, while a policy initiative is a collection of policy definitions that are meant to be applied together.

How can you disable a policy in Azure Policy?

To disable a policy in Azure Policy, you can navigate to the policy assignment in the Azure portal and change the enforcement action to “disabled”.

Related Post

AZ-104 Microsoft Azure Administrator

Configure storage encryption

AZ-104 Microsoft Azure Administrator

Deploy and configure VM scale sets

AZ-104 Microsoft Azure Administrator

Configure sizing and scaling for Azure Container Instances

0 0 votes
Article Rating
Subscribe
Notify of
guest
22 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Eva Lam
Eva Lam
1 year ago

This blog post on configuring and managing Azure Policy is very insightful! Thanks for sharing.

0
Reply
Justin Riviere
Justin Riviere
1 year ago

Does anyone have experience with custom policy definitions in Azure Policy? How complex are they to set up?

0
Reply
Fatma Öztürk
Fatma Öztürk
1 year ago

For a newbie, is it better to start with built-in policies or jump straight into custom policies?

0
Reply
Dan Bryant
Dan Bryant
1 year ago

Great blog post, I’ve learned a lot.

0
Reply
Maximiliano Tejada
Maximiliano Tejada
1 year ago

How does Azure Policy integrate with Azure Blueprints? Are they complementary?

0
Reply
Beatriz Lozano
Beatriz Lozano
1 year ago

I’m struggling with policy enforcement modes. Can someone explain the difference between Audit, Deny, and Append?

0
Reply
Ea Stjern
Ea Stjern
1 year ago

Super useful information, thanks!

0
Reply
Barış Kılıççı
Barış Kılıççı
1 year ago

How do you manage the scope for Azure Policies effectively?

0
Reply
22
0
Would love your thoughts, please comment.x
()
x