Demystifying Azure Security - Azure Policies - 2 - Assigning a Policy

@20aman    Dec 27, 2017

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

In this post, we will view the policies in action. Policy assignment is very easy on the Azure Portal. We will be assigning a built-in policy at a subscription scope.

Accessing the Policies in the Azure portal

Begin by accessing the Policies in the Azure Portal. To do this follow the below steps:

  1. Navigate to Subscriptions (via All Services or the navigation sidebar)
  2. Select the subscription for which you want to view the Policies
  3. Scroll down to the "Settings" category in the menu of the subscription
  4. Click on "Policies" to access the policies in Azure

Assigning the Built-in Policies

To perform the assignment, click on "Assign Policy" from either Compliance or the Assignment tabs.

Assign Policy

In the new blade, provide the value for the:

  1. Policy to be applied
  2. Name and Description of the Policy. The name will be the name of the policy selected by default. As a best practice ensure to provide the detailed description.
  3. Assigned by will be your name by default
  4. You can select the pricing tier between Free and Standard. You will get the compliance evaluation of the resources in your environment against the policy with the Standard pricing tier
  5. Scope for the Policy
  6. Exclusions from the Policy
  7. Any additional parameters related to the policy

To select from the policies, click on the blue button with an ellipse (i.e. 3 dots) in front of the Policy box. This will popup another blade for all the Policy definitions.

Assign Policy Blade details

Scroll through various Built-in policies. Once we define any custom user-defined policies, they will also be displayed here. Select the policy "Allowed locations" from the list of the policies as an example. Click on "Select" once done.

Selecting Policy

Select the Scope for applying the policy. You can leave the default to the Subscription level. Or you can click on the blue button in front of scope text box and select the Resource Groups under the subscription on which you want to apply the policy.

You can also select the Exclusions if you require. These Resource Group or resources will not be evaluated against the policy.

Selecting Scope

Lastly, you will have additional parameters for the policy related values. These parameters will vary and will depend on the policy you have selected. E.g. For "Allowed locations" policy, you will see the parameter for allowed locations. Select "East US" and "East US 2" for the locations as an example.

Providing value for Policy related Parameters

Once you complete the configurations, click on the "Assign" button to apply the policy

Validating the Policy

To validate the policy for "Allowed locations" follow these steps:

  1. Try to deploy a Storage Account or a VM or any other resource in a location that is NOT allowed. E.g. try deploying a storage account in the "West US" location. This should fail with the validation error stating the policy id.
  2. Perform the same deployment but to one of the allowed location. E.g. try deploying a storage account in the "East US" location. This should succeed without any erros.

Comments powered by Disqus