How to Manage Policies with the Azure CLI

Cloud technologies like Azure can appear deceptively simple, but not setting up a governance system in the initial stages can result in operational roadblocks further down the line.

While roles and groups enable flexible permissions for users, policies in Azure enable you to apply rules for resources in your organization to govern compliance, cost limits, consistency, and security.

In this article, we’ll briefly explain the basics of policies, and then show how you can assign them to a scope of resources using the Azure CLI. 

Understanding Policies in Azure

Azure policies are sets of rules that dictate what is allowed in either a specific resource group or across the account. For example, policies can be instituted to prevent over-provisioning and unexpected resource costs.

In practice, these policy definitions are described using JSON format and are then assigned to a certain scope of resources. If you have more than one related policy, that’s referred to as a policy initiative.

If a resource is updated or created in a way that violates a policy you have configured, then depending on your preference, deny the change, log the issue, or make additional remediations.

You can either use built-in policy options or fully customize them. For more details on creating policy definitions, you can read up on that here.

Here’s what a policy definition looks like in practice:

{
    "properties": {
        "displayName": "Allowed locations",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
        "mode": "Indexed",
        "metadata": {
            "version": "1.0.0",
            "category": "Locations"
        },        
        "parameters": {
            "allowedLocations": {
                "type": "array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                },                
                "defaultValue": [ "westus2" ]
            }        
        },        
        "policyRule": {
            "if": {
               "not": {
                   "field": "location",
                   "in": "[parameters('allowedLocations')]"
                }
            },            
            "then": {
               "effect": "deny"
            }
        }    
    }
}

Assigning a Policy to a Scope 

Once you have a policy definition that you are looking to implement, you do that with the az policy assignment create command:

az policy assignment create [--assign-identity]
                    	    [--description]                            
                    	    [--display-name]                            
                    	    [--enforcement-mode {Default, DoNotEnforce}]
                    	    [--identity-scope]
                    	    [--location]
                    	    [--mi-system-assigned]
                    	    [--mi-user-assigned]
                            [--name]
                    	    [--not-scopes]
                    	    [--params]
                    	    [--policy]
                    	    [--policy-set-definition]
                    	    [--resource-group]
                    	    [--role]
                    	    [--scope]
                    	    [--sku {free, standard}]

As you can see, you have lots of parameters you can use to customize your policy assignment, including enforcement options. These are the different types of scopes you can use when you’re assigning a policy:

• Management group: a container that manages policies across multiple subscriptions
• Subscription: uniquely-billed Azure account/plan
• Resource group: a container that holds related resources
• Resource: any entity managed by Azure (virtual machines, virtual networks, storage accounts, etc.)

Here’s an example using a management group as a scope.

   az policy assignment create --scope \
    "/providers/Microsoft.Management/managementGroups/MyManagementGroup" \
        --policy {PolicyName} -p "{ \"allowedLocations\": \
            { \"value\": [ \"australiaeast\", \"eastus\", \"japaneast\" ] } }"

Now that your policy is implemented, it will check compliance whenever a new resource in the scope is created or updated, policies in the scope are added or updated, as well as once every 24 hours.

Blink Automation: Apply Policy to Azure Resources with Matching Conditions

Blink + Azure

Get Started

Updating an Existing Policy Assignment

If you need to make updates to a policy, you can run the az policy assignment update command:

az policy assignment update [--description]
			    [--display-name]
			    [--enforcement-mode {Default, DoNotEnforce}]
			    [--name]
			    [--not-scopes]
			    [--params]
			    [--resource-group]
			    [--scope]
			    [--sku {free, standard}]

This update example changes the description of an existing policy:

az policy assignment update --name myPolicy --description 'My policy description'

Instead of updating a description, you might want to update these parameters:

• --enforcement-mode -e: change the enforcement mode for the policy
• --not-scopes: create exceptions within the scope where this policy doesn’t apply
• --params -p: change the JSON formatted string or a path to a file where the policy definition exists

Now that we’ve covered creating and updating policies, let’s look at deleting policies that are no longer relevant.

Deleting a Policy Assignment

To delete a policy assignment, you can use the az policy assignment delete command:

az policy assignment delete --name
			    [--resource-group]
			    [--scope]

You can delete the entire policy by just using the name parameter.

az policy assignment delete --name MyPolicyAssignment

Alternatively, you can delete the policy in the context of a certain scope by including a scope or resource-group parameters additionally.

Simplify Policy Updates with Blink

Instead of having to look up the specific command for each of these actions, tools like Blink enable you to keep your policies up to date easily with a low-code/ no-code UI.

Get started with Blink today and see how easy automation can be.