This chapter covers Azure Policy as a critical tool for enforcing security compliance in Azure environments. On the AZ-500 exam, questions about Azure Policy typically appear in the 'Security Operations' domain (objective 4.3) and constitute approximately 10-15% of the exam. Mastering Azure Policy is essential for implementing governance, ensuring resources meet security standards, and automating compliance remediation. This chapter will detail how Azure Policy works, its components, and how it integrates with Azure Blueprints, RBAC, and Azure Security Center.
Jump to a section
Imagine a city with a building code enforcement office. Before any building can be constructed or modified, the developer must submit plans that comply with the city's building code. The code specifies minimum requirements: fire sprinklers in buildings over three stories, wheelchair-accessible entrances, and maximum floor area ratios. The enforcement office does not build anything; it reviews plans and inspects construction. If a plan violates the code, the office rejects it and the developer must revise. Once built, the office can conduct periodic inspections to ensure ongoing compliance. Some rules are 'deny' (reject the plan), some are 'audit' (inspect after construction), and some are 'modify' (automatically add a required feature, like a fire extinguisher). The building code is a set of rules; the enforcement office is the engine that applies those rules to every new building and existing building in the city. Similarly, Azure Policy is a service that evaluates Azure resources against policy definitions (rules) and enforces compliance by denying non-compliant resources, auditing existing resources, or applying remediation. Just as building codes are organized into sections (fire safety, accessibility), Azure Policy definitions are grouped into initiatives (policy sets). The policy engine runs continuously, evaluating resources on create, update, and on a regular compliance scan cycle (every 24 hours by default). If a resource falls out of compliance (e.g., a building adds flammable cladding), the policy engine flags it and can trigger automatic remediation.
What is Azure Policy and Why It Exists
Azure Policy is a service in Azure that allows you to create, assign, and manage policies that enforce rules and effects over your resources. These policies evaluate resource compliance and can take actions such as denying non-compliant resources, auditing existing resources for compliance, or deploying configurations automatically (e.g., installing an anti-malware agent). The primary purpose of Azure Policy is to enforce organizational standards and assess compliance at scale. It is central to security governance because it ensures resources adhere to security requirements (e.g., only allowing certain VM SKUs, requiring encryption at rest, or restricting public network access).
How Azure Policy Works Internally
Azure Policy operates on a resource-level evaluation model. When a policy is assigned to a scope (management group, subscription, or resource group), the policy engine evaluates all resources within that scope against the policy definition. The evaluation occurs: - During resource creation or update (PUT/PATCH requests): The policy engine intercepts the request, evaluates the resource properties against the policy rules, and if the policy effect is 'Deny', the request is rejected before the resource is created. - On a periodic compliance scan: By default, a full compliance scan runs every 24 hours. This scan evaluates existing resources against all assigned policies and updates the compliance state. - On-demand: You can trigger a compliance scan manually using Azure CLI, PowerShell, or the portal.
The core components of Azure Policy are: - Policy Definition: A JSON document that describes the resource conditions (using 'if' block) and the effect to take (using 'then' block). Example definition that denies VMs not using managed disks:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}- Initiative Definition (Policy Set): A collection of policy definitions grouped together to achieve a broader goal, such as the 'Azure Security Benchmark' initiative. - Assignment: The process of applying a policy definition or initiative to a specific scope. Assignments can include parameters (e.g., allowed locations) and exclusions (e.g., a specific resource group). - Effect: The action taken when a resource is evaluated as non-compliant. Effects include: - Deny: Prevents the resource creation or update. Returns a 403 (Forbidden) error. - Audit: Logs a warning event in the activity log but does not block the request. - Append: Adds additional fields to the resource during creation or update (e.g., add a tag). - AuditIfNotExists: Audits resources that do not have a related resource (e.g., audit VMs without a backup). - DeployIfNotExists: Deploys a template to remediate non-compliant resources (e.g., deploy a Log Analytics agent to VMs). - Disabled: Effectively turns off the policy. - Modify: Adds, updates, or removes properties on a resource (similar to Append but can modify existing properties).
Key Components, Values, Defaults, and Timers
Policy Definition Structure: The 'if' block uses conditions based on resource properties (fields), tags, or location. Fields include 'type', 'name', 'kind', 'location', 'tags', and resource-specific properties like 'Microsoft.Compute/virtualMachines/sku.name'. Aliases are used to access resource properties (e.g., 'Microsoft.Compute/virtualMachines/storageProfile.imageReference.offer').
Initiative Definition: Can include up to 100 policy definitions. The evaluation is the same as individual policies; compliance is aggregated per initiative.
Assignment Parameters: Parameters allow customization without modifying the definition. For example, a policy that restricts allowed locations can accept a parameter 'listOfAllowedLocations'.
Exclusion: You can exclude child scopes from an assignment (e.g., exclude a resource group from a subscription-level policy). Exclusions are defined at assignment time.
Remediation: For 'DeployIfNotExists' and 'Modify' policies, a remediation task can be created to fix non-compliant existing resources. Remediation tasks run asynchronously and can be triggered via portal, CLI, or PowerShell.
Compliance State: Each resource has a compliance state: 'Compliant', 'Non-compliant', 'Conflict', 'Error', 'Not started'. 'Conflict' occurs when two policies assign different effects to the same resource (e.g., one denies, one audits). The deny effect takes precedence.
Timers:
Full compliance scan: every 24 hours (cannot be changed).
Evaluation on create/update: real-time.
Remediation task: can be scheduled or run on-demand; no specific default frequency.
Policy Evaluation Order: Policies assigned at a higher scope (e.g., management group) are evaluated first. If a deny policy at a higher scope blocks a resource, lower scope policies are not evaluated. However, if multiple policies at the same scope apply, all are evaluated; if any deny, the resource is denied.
Configuration and Verification Commands
Create a policy definition using Azure CLI:
az policy definition create --name "deny-unmanaged-disks" --display-name "Deny VMs without managed disks" --description "This policy denies VMs that do not use managed disks." --rules '{"if":{"allOf":[{"field":"type","equals":"Microsoft.Compute/virtualMachines"},{"field":"Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id","exists":"false"}]},"then":{"effect":"deny"}}' --mode AllAssign a policy definition to a subscription:
az policy assignment create --name "deny-unmanaged-disks-assignment" --policy "deny-unmanaged-disks" --scope /subscriptions/{subscriptionId}Trigger a compliance scan:
az policy state trigger-scan --resource-group myResourceGroupView compliance state:
az policy state list --resource-group myResourceGroupCreate a remediation task:
az policy remediation create --name "myRemediation" --policy-assignment "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/deny-unmanaged-disks-assignment" --resource-discovery-mode ReEvaluateComplianceHow Azure Policy Interacts with Related Technologies
Azure RBAC: Azure Policy and RBAC are complementary. RBAC controls who can perform actions (authentication and authorization), while Azure Policy controls what resources can be created or modified (compliance). For example, a user with Contributor role can create a VM, but Azure Policy can deny that VM if it doesn't meet encryption requirements.
Azure Blueprints: Blueprints are a declarative way to orchestrate the deployment of resource groups, policies, RBAC roles, and ARM templates. When you assign a blueprint, it creates policy assignments as part of the blueprint definition. Blueprints use Azure Policy to enforce compliance of the deployed resources.
Azure Security Center (ASC): ASC uses Azure Policy as its underlying engine for security recommendations. For example, the ASC recommendation 'Disk encryption should be applied on virtual machines' is backed by a built-in policy that audits VMs without encryption. When you enable ASC, it automatically assigns the 'Azure Security Benchmark' initiative, which contains many policies.
Azure Resource Graph: You can query compliance data using Resource Graph. For example:
policyresources
| where type == 'microsoft.authorization/policyassignments'
| project policyAssignmentId, scope, properties.policyDefinitionIdAzure Management Groups: Policies can be assigned at the management group level, affecting all child subscriptions. This is useful for enforcing organization-wide standards.
1. Define Policy Definition
Create a JSON-based policy definition that specifies the conditions and effect. The definition includes the 'if' block (conditions using fields, tags, location, or aliases) and the 'then' block (effect). For example, to deny VMs without managed disks, you define a condition checking that the type is 'Microsoft.Compute/virtualMachines' and the managed disk ID does not exist. The effect is 'deny'. You can also use built-in definitions from the Azure portal or community. Definitions are stored at the management group or subscription level and can be reused across assignments.
2. Create Initiative (Optional)
Group multiple policy definitions into an initiative for unified compliance tracking. Initiatives can include up to 100 definitions. For example, the 'Azure Security Benchmark' initiative includes hundreds of policies for security best practices. When you assign an initiative, compliance is aggregated across all included definitions. Initiatives are useful for categorizing policies (e.g., 'Security', 'Cost Management'). You can also create custom initiatives.
3. Assign Policy to Scope
Assign the policy definition or initiative to a management group, subscription, or resource group. During assignment, you can set parameters (e.g., allowed locations), define exclusions (e.g., exclude a specific resource group), and configure remediation settings for 'DeployIfNotExists' or 'Modify' policies. The assignment triggers evaluation of all existing resources at that scope and starts enforcing on new resources. You can assign the same policy to multiple scopes.
4. Evaluate Compliance
The policy engine evaluates resources against the assigned policies. On resource creation/update, the engine checks the policy conditions. If the effect is 'Deny' and conditions are met, the request is rejected with a 403 error. For existing resources, a full compliance scan runs every 24 hours. You can also trigger an on-demand scan. The compliance state is stored and viewable in the portal under 'Compliance'. Resources can be 'Compliant', 'Non-compliant', 'Conflict', or 'Error'.
5. Remediate Non-Compliant Resources
For policies with 'DeployIfNotExists' or 'Modify' effects, you can create remediation tasks to bring non-compliant resources into compliance. Remediation tasks deploy ARM templates or modify resource properties. For example, a policy that requires a Log Analytics agent on VMs can create a remediation task to install the agent on existing VMs. Remediation tasks can be triggered manually or scheduled. They run asynchronously and can take time depending on the number of resources.
In a large enterprise with thousands of subscriptions, Azure Policy is used to enforce security baselines. For example, a financial services company must ensure that all storage accounts have encryption at rest enabled and that no public network access is allowed. They create a custom initiative 'Financial Security Baseline' with policies: 'Storage accounts should have encryption at rest enabled', 'Storage accounts should deny public network access', and 'Virtual machines should have disk encryption enabled'. They assign this initiative at the root management group level, affecting all subscriptions. Exclusions are made for a specific resource group used for testing. The compliance dashboard shows that 95% of resources are compliant; remediation tasks are created for the non-compliant ones. A common issue is that some application teams accidentally disable encryption, and the deny effect prevents them from doing so; they must request an exception via a policy exemption (which is a separate feature). Performance considerations: With tens of thousands of resources, the compliance scan may take several hours, but it is a background process. Remediation tasks should be run during off-peak hours to avoid impacting production. Another scenario: A healthcare organization uses Azure Policy to enforce HIPAA compliance. They assign the built-in 'HIPAA/HITRUST' initiative and also create custom policies to require specific tags (e.g., 'DataClassification: PHI') on all resources. They use the 'Append' effect to automatically add missing tags during resource creation. Misconfiguration example: If a policy with 'Deny' effect is assigned incorrectly (e.g., denying all VMs in a region where VMs are needed), it can block critical deployments. To avoid this, always test policies using 'Audit' effect first before switching to 'Deny'. Also, be aware of policy conflicts: if two policies assign different effects to the same resource, 'Deny' takes precedence, which can cause unexpected denials.
The AZ-500 exam tests Azure Policy primarily in the 'Security Operations' domain (objective 4.3: 'Manage security posture by using Azure Policy'). Expect 5-10 questions on this topic. Common wrong answers: (1) 'Azure Policy controls who can create resources' – this is RBAC, not Policy. (2) 'Azure Policy can be used to apply tags to existing resources' – only 'Modify' or 'Append' effects can add tags, but only during creation or update; for existing resources, you need a remediation task. (3) 'Policy evaluation occurs only during resource creation' – it also runs every 24 hours and on-demand. (4) 'Initiatives are the same as policy definitions' – initiatives are groups of definitions. Specific numbers to memorize: default compliance scan interval is 24 hours; maximum number of policy definitions in an initiative is 100; effects include Deny, Audit, Append, AuditIfNotExists, DeployIfNotExists, Modify, Disabled. The exam loves edge cases: What happens if a resource is non-compliant due to multiple policies with different effects? Answer: The resource is marked as 'Conflict' and the deny effect takes precedence. Another edge case: Can you assign a policy to a management group that has child subscriptions? Yes, and it applies to all child subscriptions unless excluded. The exam also tests the difference between 'Append' and 'Modify': Append only adds properties that do not exist; Modify can change existing properties. To eliminate wrong answers, remember the core mechanism: Azure Policy evaluates resource properties against conditions and applies an effect. It does not manage user permissions (RBAC) or deploy resources (ARM templates) except through remediation tasks.
Azure Policy enforces rules on resource properties at creation, update, and periodically every 24 hours.
Effects include Deny, Audit, Append, AuditIfNotExists, DeployIfNotExists, Modify, and Disabled.
Initiatives group up to 100 policy definitions for unified compliance tracking.
Policy assignments can include parameters and exclusions.
Remediation tasks are required for DeployIfNotExists and Modify policies to fix existing resources.
Azure Policy is separate from RBAC; RBAC controls access, Policy controls configuration.
The 'Deny' effect returns a 403 error and prevents resource creation/update.
Built-in initiatives include the Azure Security Benchmark and HIPAA/HITRUST.
Policy evaluation order: higher scope policies evaluated first; if any deny, resource is denied.
Use the 'Audit' effect to test policies before switching to 'Deny' to avoid blocking deployments.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy
Controls what resources can be created or modified (compliance).
Uses policy definitions with conditions and effects (deny, audit, etc.).
Evaluates resource properties against rules.
Assigned to scopes (management group, subscription, resource group).
Can automatically remediate non-compliant resources via remediation tasks.
Azure RBAC
Controls who can perform actions on resources (authorization).
Uses role definitions with permissions (e.g., Reader, Contributor).
Evaluates user identity and actions against allowed permissions.
Assigned to users, groups, or service principals at scope.
Cannot automatically change resource configurations; it only allows or denies actions.
Mistake
Azure Policy is the same as Azure RBAC.
Correct
Azure Policy enforces rules on resource properties (e.g., location, tags, SKU) and can deny or audit resources. RBAC controls who can perform actions (e.g., create, read, delete). They are complementary but distinct.
Mistake
Azure Policy can automatically fix non-compliant resources without any additional configuration.
Correct
Only policies with 'DeployIfNotExists' or 'Modify' effects can remediate resources, and you must create a remediation task. Other effects like 'Deny' or 'Audit' do not fix resources.
Mistake
Policy evaluation only happens when a resource is created or updated.
Correct
Evaluation occurs on create/update and also on a periodic full compliance scan every 24 hours. You can also trigger an on-demand scan.
Mistake
An initiative can contain an unlimited number of policy definitions.
Correct
An initiative can contain up to 100 policy definitions. This limit is documented.
Mistake
If a policy denies a resource, the user is not charged for the failed creation.
Correct
Correct, but this is a misconception about cost. The deny happens before the resource is created, so no billing occurs. However, some users think the resource is created and then deleted, which is not the case.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Policy enforces compliance rules on resources, while Azure Blueprints is a deployment tool that packages ARM templates, policies, RBAC roles, and resource groups into a single artifact. Blueprints can include policy assignments, but the policy engine itself is separate. Blueprints are used to create consistent environments, whereas Azure Policy is used to govern existing and new resources.
Yes, but only with the 'Modify' effect and a remediation task. The 'Append' effect only adds tags during resource creation or update. To add tags to existing resources, you must create a policy with 'Modify' effect and then run a remediation task. Alternatively, you can use Azure Policy's 'DeployIfNotExists' to deploy a logic app that adds tags, but 'Modify' is the direct approach.
When multiple policies apply to the same resource and have different effects, the resource compliance state is 'Conflict'. The 'Deny' effect takes precedence over 'Audit' and other effects. For example, if one policy denies a resource and another audits, the resource is denied. The compliance state shows 'Conflict' to alert administrators.
The default compliance scan runs every 24 hours. You can trigger an on-demand scan using Azure CLI, PowerShell, or the portal. The scan evaluates all resources within the assignment scope against all assigned policies.
Yes, you can define exclusions when creating a policy assignment. Exclusions can be at the subscription, resource group, or individual resource level (using resource ID). Excluded resources are not evaluated by the policy. Exclusions are specified as an array of scope strings in the assignment.
'Append' is used to add additional fields to a resource during creation or update, but only if the field does not already exist. 'Modify' can add, update, or remove properties on a resource, and it can change existing values. 'Modify' is more flexible and is the recommended effect for tag enforcement on existing resources.
You can view compliance in the Azure portal under 'Policy' > 'Compliance'. You can also use Azure CLI: 'az policy state list' or Azure PowerShell: 'Get-AzPolicyState'. Additionally, you can query compliance data using Azure Resource Graph.
You've just covered Azure Policy for Security Compliance — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?