Share via

Automatically audit and deploy Azure Resource Locks.

Mahavir Saroj 251 Reputation points
2023-08-07T13:25:36.16+00:00

I came across with a scenario where after applying this automatic Azure policy for resource group lock and it's working fine. What if someone manually removed the resource lock. How we can ensure that even if someone is removing Azure policy manually from the portal Azure Policy should reapply again. Could you please help with that?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,014 questions
0 comments
Accepted answer
  1. AnuragSingh-MSFT 21,546 Reputation points Moderator
    2023-08-09T09:03:54.9966667+00:00

    @Mahavir Saroj , Yes, you could use Azure Automation to schedule a runbook to run at regular interval to check for the policy assignment and assign it again if the assignment has been deleted. For details, see Azure Policy PowerShell.

    You may also refer the following links for details on Azure Automation Runbook:

    • Creating Azure Automation Runbook
    • Manage schedules in Azure Automation However, this will not resolve much of the issue. If a user can delete the lock, policy assignment etc., how would you stop this or other users from deleting the Azure Automation Account OR the runbook from being executed? Therefore, the better solution in this case is Azure RBAC to ensure that only specific users have access to modify these things. For details of Azure Policy RBAC, see Azure Policy RBAC. Hope this helps. Please let me know if you have any questions.

    If the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tech-Hyd-1989 5,816 Reputation points
    2023-08-07T18:39:55.11+00:00

    Hello Mahavir Saroj

    If someone manually removes a resource lock that was applied by an Azure Policy, there is no built-in mechanism to automatically reapply the policy. However, you can use Azure Policy's remediation feature to automatically remediate non-compliant resources.

    Azure Policy's remediation feature allows you to automatically fix non-compliant resources by applying the policy again. You can configure remediation tasks to run automatically when a resource is found to be non-compliant with a policy. Remediation tasks can be used to apply the policy again, or to take other actions to bring the resource into compliance.

    To configure remediation tasks for your Azure Policy, you can follow these steps:

    • Create a remediation task definition: A remediation task definition specifies the actions that should be taken to remediate non-compliant resources. You can create a remediation task definition by using the Azure portal, Azure PowerShell, Azure CLI, or REST API.
    • Assign the remediation task definition to a policy: You can assign the remediation task definition to a policy by using the Azure portal, Azure PowerShell, Azure CLI, or REST API. When a resource is found to be non-compliant with the policy, the remediation task will be triggered automatically.
    • Monitor the remediation task: You can monitor the status of the remediation task by using the Azure portal. You can view the status of the remediation task and take any necessary actions to resolve any issues that may arise.

    By using Azure Policy's remediation feature, you can ensure that your policies are automatically reapplied when a resource is found to be non-compliant, even if someone manually removes a resource lock.

    Document link : https://learn.microsoft.com/en-us/azure/governance/policy/concepts/remediation-structure
    <Please accept answer and upvote if the above information is helpful for the benefit of the community.>

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.