Portal Preview of Azure Resource Policy

Gepost op 9 maart, 2017

Senior Program Manager, Azure Resource Manager

Since the first release of resource policies last April, we have received valuable feedback from customers and with this feedback we have added new features. I’m pleased to announce the following new features for Azure Resource Policies:

  • Policy management in portal (preview)
  • Policy with parameters

Policy Management in Portal

Many customers requested the ability to manage policies through the Azure portal. Using the portal reduces the learning curve for creating policies and makes managing the policies easier. It is now available in Azure preview portal.

Similar to working with Identity and Access Control, you can configure resource policies for subscriptions and resource groups from the settings menu. You can view what policies are assigned to the current subscriptions and resource groups, and add new policy assignments. For common policies, you can use the built-in policies and customize the values you need. For example, when creating a geo-compliance policy, the UI simply asks you for a list of permitted locations. You can provide the name and a description that are seen by users when they violate the policy.

 

Capture1

Figure 1: View all policy assignments

 

Capture2

Figure 2: Adding new policy assignment

Policy using Parameters

With API version 2016-12-01, you can add parameters to your policy template. The parameters enable you to customize the policy definition. The preceding example for the portal utilizes parameters in the policy. There are two benefits:

  • Reduce the number of policy definitions to manage. For example, you previously needed multiple policies to manage tags for different applications in different resource groups. Now, you can consolidate them into one policy definition with tag name as a parameter. You provide the value of the tag name when you assign the policy to the application.
  • Separate access control for policy definition and policy management. Previously, if you used resource groups as the scope for most of your policy assignments, all users who assigned a policy to a resource groups also needed permission to create policy definitions. This permission was required because different assignments required different policy definitions. However, granting this permission created the risk that they could potentially modify other policy definitions. By using parameters, users no longer need to create their own policy definitions.
{
  "properties": {
    "displayName": "Allowed virtual machine SKUs",
    "policyType": "BuiltIn",
    "description": "This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.",
    "parameters": {
      "listOfAllowedSKUs": {
        "type": "Array",
        "metadata": {
          "description": "The list of SKUs that can be specified for virtual machines.",
          "displayName": "Allowed SKUs",
          "strongType": "VMSKUs"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "not": {
              "field": "Microsoft.Compute/virtualMachines/sku.name",
              "in": "[parameters('listOfAllowedSKUs')]"
            }
          }
        ]
      },
      "then": { "effect": "Deny" }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "cccc23c7-8427-4f53-ad12-b6a63eb452b3"
}

 

Since this policy is built-in, you can directly assign it without creating your policy definition JSON. To assign this policy using PowerShell, run the following commands:

$policydefinition = Get-AzureRmPolicyDefinition | Where-Object {$_.Properties.DisplayName -like "Allowed virtual machine SKUs"} 
New-AzureRmPolicyAssignment -Name testassignment –Scope  {scope} -PolicyDefinition $policydefinition -listOfAllowedSKUs "Standard_LRS", "Standard_GRS"

It is this simple now!

Help us improve the experience

 

Please try the new features and provide feedback to us through the user voice. Let us know what policies you want to use and how we can improve the experience.