Demystifying Azure Security - Azure Policies - Initiative Definitions

@20aman    Jan 28, 2018

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Initiative Definitions are a great way to combine and apply multiple policies together. They are a group of policy definitions to achieve a singular goal. These are the Microsoft recommended way to use the Policies.

E.g. You want to combine a set of policy definitions for the compute and related resources. You want to apply following set of policies:

  1. Allowed locations - to restrict locations where resources can be deployed
  2. Allowed SKUs - to restrict SKUs for the VMs e.g. VMs can be created with SKU Standard_DS2_v2 only
  3. Enforce Tags and it's default value - to enforce the usage of Tags on resources

Instead of managing and assigning the policies separately, you can club these policies together in an Initiative Definition and then assign the same.

Defining Initiative Definition

To create a new Initiative Definition you go to your Subscription and then go to the Policies section under Settings. Within Policies go to the Definitions section under Authoring. Here you can click on the "Initiative Definitions" tab to view the existing definitions. Click on the "+Initiative definition" to create a new Initiative Definition.

Creating Initiative Definition

The new Initiative Definition blade with open up. Here you can create the definition.

  1. The first section, as shown below, is similar to a Policy definition. You will provide the basic information here like Definition location, Name, Description and Category.
  2. On the right side, select the Policies which want to be part of this Initiative Definition in the section "Available Definitions". Select and Add all the policies that you want to group together.
  3. Configure parameters for the selected Policies in the "Policies and Parameters" section. If you selected a wrong policy, you can delete the policy in this section as well.
Initiative Definition Blade

Initiative Parameters

Continuing with the previous section of the Policy definition, you have lots of options when configuring parameters under the "Policies and Parameters" section. You can either "Set value" right within the Initiative Definition, or you can "Use Initiative Parameter". Set the values within the definition if you don't want to change during the assignment. If you want to set the values dynamically then use the Initiative Parameters.

Initiative Parameters are used to parameterize the Initiative Definition. These can be set from the list of allowed values (a subset of all the values) during the assignment.

Options for setting values for Parameters

When you select to use an Initiative Parameter for any value, then a parameter is automatically created.

Initiative Parameters

You can create your own Initiative parmeters as well. If an Initiative parameter is not being used then you won't be able to save that definition. You will get "Bad Request" while trying to save the definition.

Option for creating new Initiative Parameter

Assigning Initiative Definition

The Initiative assignment is exactly same as the Policy Assignment. All the options are similar as well. You provide value to the parameters within the Initiative Definition for all the policies, during the assignment.

Assigning Initiative Definition

Comments powered by Disqus