Creating a custom Policy Using Azure Resource Selector

Question

Creating a custom Policy Using Azure Resource Selector

Seeman, David 20

Is it possible to create a custom policy or utilize Azure policies to implement a deny resource type policy by using only the resource selector parameters, rather than specifying the actual parameters within the policy without the use of initatives?

Also, is it possible to augment the limit for resource selector and parameter count within a policy (EX: 12 resource selectors and 60 parameters for each).

Seeman, David 20 Reputation points

2024-10-09T12:22:12.3566667+00:00

I have beginner-intermediate knowledge of Azure (worked in AWS) so any advice is appreciated

Answer accepted by question author

0 additional answers

Your answer

Seeman, David 20 Reputation points

2024-10-09T12:22:12.3566667+00:00

I have beginner-intermediate knowledge of Azure (worked in AWS) so any advice is appreciated

Answer 1

Deepanshu katara 18,150 MVP Volunteer Moderator

Hello David, Welcome to MS Q&A

Yes, it is possible to create a custom policy in Azure that implements a deny resource type policy using resource selectors. Resource selectors allow you to specify which resources should be evaluated for compliance based on certain criteria, such as resource location or type. This means you can define a policy that denies specific resource types while leveraging resource selectors to narrow down the scope of evaluation.

However, the actual parameters for the deny action must still be specified within the policy definition itself. Resource selectors can help target specific resources but do not replace the need for defining the parameters of the policy.

For more detailed information, you can refer to the following Microsoft documentation:

Kindly accept answer if it helps

Please let us know if any further questions

Thanks

Deepanshu

Seeman, David 20 Reputation points

2024-10-09T12:18:19.6433333+00:00

Sounds good, if that's the case, say I wanted to deny the Main IoT resource and Iot Firmware defense resource type for example by classifying them into resource selectors (both types need to be classified into selector) for the custom policy how would I factor in the parameter for the deny action like you mentioned
Seeman, David 20 Reputation points

2024-10-09T12:19:53.2733333+00:00

Also, in terms of resource selectors is there any way to build out the custom policy with more than 10 resource selectors or is this just preset into Azure policies?
Deepanshu katara 18,150 Reputation points MVP Volunteer Moderator

2024-10-10T17:31:24.1266667+00:00
Now, to address your specific scenario:

1. Denying specific resource types (like IoT resources):

If you want to deny resource types such as Main IoT and IoT Firmware Defense within a custom policy using resource selectors, you would need to classify these resource types into a resource selector. Here’s an outline of how to approach it:

Define the resource types for the selectors in your custom policy.

Create a resource selector that includes both IoT resource types.

In your policy, specify the parameters for the "deny" action, targeting only the resources identified by the selector.

2. Resource selector limitations:

Regarding your question about using more than 10 resource selectors per assignment in a custom policy, Azure currently has a default limit for resource selectors (usually up to 10). Unfortunately, this limit is preset in Azure Policies. However, you can work around this limitation by combining multiple conditions or selectors within a single policy definition or breaking down your policy into multiple smaller policies, each targeting different resource types or groups.

If you need more flexibility beyond these preset limits, it may be worth exploring other Azure governance tools or reviewing policy best practices to optimize your resource selection criteria.

Let us know if you have further questions!

Share via

Creating a custom Policy Using Azure Resource Selector

0 additional answers

Your answer