Azure Policy and Governance
As Azure usage grows across an organization — with multiple teams, projects, and subscriptions — maintaining consistent configurations and compliance becomes difficult. Without governance, teams create resources in the wrong regions, skip required tags, use unapproved VM sizes, or leave storage accounts publicly accessible. Azure Policy is the service that enforces organizational standards automatically — preventing non-compliant resources from being created and flagging existing non-compliant resources for remediation.
What is Azure Policy?
Azure Policy is a governance service that evaluates resources against defined rules (policies) and either enforces compliance by blocking non-compliant actions or audits and reports on the current compliance state. Policies are defined using JSON and can be applied at management group, subscription, or resource group scope.
Policy Definitions
A policy definition is a rule written in JSON that describes what should be evaluated and what action to take. Azure provides hundreds of built-in policy definitions — custom policies can also be created.
Policy Structure
{
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
AND
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"equals": "true"
},
"then": {
"effect": "Deny" ← Block creation of storage with public blob access
}
}
}
Policy Effects
| Effect | Description | When to Use |
|---|---|---|
| Deny | Blocks the resource creation or update if it violates the policy | Enforce hard rules — e.g., block all resources outside approved regions |
| Audit | Allows the resource but marks it as non-compliant in the dashboard | Visibility without enforcement — understand current state before enforcing |
| AuditIfNotExists | Audit if a related resource does not exist — e.g., audit VMs without backup enabled | Check for missing configurations on dependent resources |
| DeployIfNotExists | Automatically deploy a resource if it doesn't exist — e.g., deploy a Log Analytics agent if missing | Automated remediation of missing configurations |
| Modify | Automatically add or change tags or properties on resources | Auto-apply required tags to all new resources |
| Append | Add additional fields to a resource during creation — e.g., add required tags | Enforce mandatory fields on resources |
| Disabled | Policy is defined but not enforced — used for testing | Draft policies not yet ready to enforce |
Common Built-in Policies
| Policy | Effect | Purpose |
|---|---|---|
| Allowed locations | Deny | Block resource creation outside approved Azure regions |
| Require a tag on resources | Deny | Enforce tagging for cost management and organization |
| Allowed virtual machine SKUs | Deny | Only allow specific VM sizes — prevent expensive VMs in dev |
| Storage accounts should disable public network access | Audit / Deny | Enforce private-only storage accounts |
| VMs should have backup configured | AuditIfNotExists | Identify VMs without Azure Backup protection |
| Deploy Log Analytics agent on VMs | DeployIfNotExists | Automatically install monitoring agent if missing |
Policy Initiatives (Policy Sets)
An initiative (also called a policy set definition) is a collection of related policy definitions grouped together to achieve a broader compliance goal. Instead of assigning 20 individual policies, one initiative containing all 20 is assigned.
Example Built-in Initiatives
- Azure Security Benchmark: A collection of 100+ policies that map to the Azure Security Benchmark standard.
- Enable Azure Monitor for VMs: A set of policies that deploy all required monitoring components to VMs.
- HIPAA HITRUST: Policies that enforce controls required for HIPAA compliance.
- PCI DSS: Controls for Payment Card Industry Data Security Standard compliance.
Compliance Dashboard
After policies are assigned, the Compliance Dashboard shows the overall compliance percentage and lists all non-compliant resources. Each non-compliant resource shows which policy it violates and why. This dashboard is the central tool for auditors and governance teams to verify the organization is meeting its standards.
Compliance Dashboard View
Policy Compliance Dashboard Overall Compliance: 78% (1,234 / 1,580 resources compliant) ┌─────────────────────────────────────────────────────────┐ │ Policy │ Compliant │ Total │ ├─────────────────────────────────────┼───────────┼───────┤ │ Allowed locations │ 580/580 │ 100% │ │ Require Environment tag │ 430/580 │ 74% │ │ Disable public access on Storage │ 210/240 │ 87% │ │ VMs should have backup │ 14/180 │ 8% │ ← Critical! └─────────────────────────────────────┴───────────┴───────┘
Remediation Tasks
For policies with DeployIfNotExists or Modify effects, a Remediation Task can be created to automatically fix existing non-compliant resources. For example, after assigning the "Add required tags" Modify policy, a remediation task applies the missing tags to all existing resources in scope — not just newly created ones.
Azure Blueprints
Azure Blueprints is a governance tool that packages together role assignments, policy assignments, ARM templates, and resource groups into a single reusable "blueprint." When a new project subscription is created, applying a blueprint automatically configures it with the required resources, policies, and access controls in one step — ensuring every new environment starts in a compliant, standardized state.
Blueprint vs ARM Template vs Policy
| Tool | Purpose |
|---|---|
| ARM Template | Deploy specific resources (what infrastructure to create) |
| Azure Policy | Enforce rules on existing and new resources (what rules to follow) |
| Azure Blueprints | Bundle ARM templates + policies + RBAC into a reusable environment definition (complete environment setup) |
Key Takeaways
- Azure Policy enforces organizational standards by evaluating resources against defined rules and applying effects (Deny, Audit, Deploy, Modify).
- Initiatives group multiple related policies together for easier assignment and compliance tracking.
- The Compliance Dashboard provides a real-time view of compliance percentage and lists all non-compliant resources.
- Remediation Tasks fix existing non-compliant resources for DeployIfNotExists and Modify policies.
- Azure Blueprints bundles policies, RBAC, and ARM templates into reusable environment definitions for consistent subscription setup.