Assign policy to specific resource in azure

Mohamed Rizvi 21 Reputation points
2022-11-12T07:50:17.8+00:00

Hi,
Can I assign a policy to a specific resource (Ex, Virtual Machine) in azure? or the policy assigns to a resource group that includes the resources.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
604 questions
0 comments No comments
{count} votes

Accepted answer
  1. SwathiDhanwada-MSFT 10,626 Reputation points
    2022-11-14T09:16:24.037+00:00

    @Mohamed Rizvi Welcome to Microsoft Q & A Community Forum. As mentioned by @Roderick Bant , you can't assign a policy at resource level scope. However, you can assign the policy at management group, subscription and resource group level and use exclusions feature to exclude the resource you don't want to include in the policy assignment.

    For more information on policy assignment, you can refer below articles.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Roderick Bant 2,031 Reputation points
    2022-11-12T10:00:28.24+00:00

    Policies are typically assigned to management groups, subscriptions or resource groups. However you can design your policy to include a parameter for the name of the resource and use that parameter in logical evaluation part of the policyRule to decide wether it should be applied.

    See example below for using a list of names as a parameter to, in this case not, apply the policy to.

       {  
           "properties": {  
               "displayName": "Assigned resource names",  
               "description": "This policy enables you to assign it to specific resources.",  
               "mode": "Indexed",  
               "metadata": {  
                   "version": "1.0.0",  
                   "category": "Custom"  
               },  
               "parameters": {  
                   "allowedResourceNames": {  
                       "type": "array",  
                       "metadata": {  
                           "description": "The list of resources the policy should apply to",  
                           "displayName": "Allowed resources names"  
                       },  
                       "defaultValue": [ "westus2" ]  
                   }  
               },  
               "policyRule": {  
                   "if": {  
                       "not": {  
                           "field": "name",  
                           "in": "[parameters('allowedResourceNames')]"  
                       }  
                   },  
                   "then": {  
                       "effect": "deny"  
                   }  
               }  
           }  
       }  
    
    1 person found this answer helpful.
    0 comments No comments

  2. Chansik Lee 0 Reputation points Microsoft Employee
    2023-02-11T08:07:26.15+00:00

    In my case, It works well when I used custom policy below.

    ※ This custom policy also constraints the location, so please use only what you need.

    {
      "mode": "Indexed",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "anyOf": [
                {
                  "field": "location",
                  "notIn": "[parameters('listOfAllowedLocations')]"
                },
                {
                  "value": "[split(field('type'), '/')[0]]",
                  "notIn": "[parameters('listOfAllowedResourceProviders')]"
                }
              ]
            },
            {
              "field": "location",
              "notEquals": "global"
            },
            {
              "field": "type",
              "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {
        "listOfAllowedLocations": {
          "type": "Array",
          "metadata": {
            "displayName": "Allowed locations",
            "description": "The list of locations that can be specified when deploying resources.",
            "strongType": "location"
          }
        },
        "listOfAllowedResourceProviders": {
          "type": "Array",
          "metadata": {
            "displayName": "Allowed resouce providers",
            "description": "Allow only specific resource providers"
          }
        }
      }
    }
    
    

    User's image

    As shown in the picture above, you need to enter the name of the resource provider.

    0 comments No comments