Is it possible to define a specific scope (multiple management groups) in a policy definition?

Kym Caris Natividad 20 Reputation points
2023-07-31T07:27:18.44+00:00

Is there a way to create a big policy definition that includes different parameters for different management groups? I read somewhere that Azure Policy doesn't directly support specifying multiple scopes within a single policy definition JSON file. Each policy definition can have only one scope. However, you can apply the same policy definition to multiple scopes (subscriptions, resource groups, or resources) by assigning the policy multiple times, each time with a different scope. Can someone verify if this is still applicable?

Scenario:

  1. Need to create a big policy definition on Allowed resource types
  2. Each management group (about 6) have different values on the parameters
  3. And this policy definition will be inside an initiative
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
755 questions
{count} votes

Accepted answer
  1. SwathiDhanwada-MSFT 16,401 Reputation points
    2023-07-31T07:41:17.9666667+00:00

    @Kym Caris Natividad Yes, that is correct. Azure Policy does not support specifying multiple scopes within a single policy definition JSON file. Each policy definition can have only one scope. However, you can apply the same policy definition to multiple scopes (subscriptions, resource groups, or resources) by assigning the policy multiple times, each time with a different scope.

    To apply the same policy definition to multiple scopes, you can use the Azure Portal, Azure PowerShell, Azure CLI, or Azure Resource Manager templates. For example, you can use Azure PowerShell to assign a policy definition to multiple scopes as follows:

    # Define the policy definition
    $policyDefinition = New-AzPolicyDefinition -Name "MyPolicyDefinition" -Policy "policy.rules.json" -Parameter "policy.parameters.json"
    # Assign the policy definition to multiple scopes
    $scopes = "/subscriptions/<subscriptionId>", "/resourceGroups/<resourceGroupName>", "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Compute/virtualMachines/<vmName>"
    foreach ($scope in $scopes) {
        $policyAssignment = New-AzPolicyAssignment -Name "MyPolicyAssignment" -PolicyDefinition $policyDefinition -Scope $scope
    }
    

    In this example, the policy definition is defined in a JSON file called "policy.rules.json" and its parameters are defined in a separate JSON file called "policy.parameters.json". The policy definition is then assigned to three different scopes: a subscription, a resource group, and a virtual machine.

    That being said, management groups are at highest hierarchy and you may need to create the policy definition for each of the management groups unless you are storing the policy definition at root level management group level.

    0 comments No comments

0 additional answers

Sort by: Most helpful