@Jörg Lang Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Apologies for the delay response!
Who are new to Azure Policy often look to find common policy definitions to manage and govern their resources. Azure Policy's Recommended policies provides a focused list of common policy definitions to start with. The Recommended policies experience for supported resources is embedded within the portal experience for that resource.
For more Azure Policy built-ins, see Azure Policy built-in definitions.
This article provides information on Azure Policy Recommended Practices
When implementing Azure policies such as "Allowed locations" and "Storage accounts should disable public network access", it is important to consider the impact on other Azure services and features, such as MAU licensing and Cloud Shell.
Here are some best practices to follow when implementing Azure policies:
- Plan ahead: Before implementing Azure policies, consider the impact on other Azure services and features. Make sure that the policies do not conflict with other requirements or constraints.
- Test thoroughly: Before enforcing Azure policies, test them thoroughly in a non-production environment to ensure that they work as expected and do not cause any unintended consequences.
- Use exceptions: If a policy conflicts with a specific requirement or constraint, consider using exceptions to allow certain resources or services to bypass the policy.
- Monitor and adjust: Monitor the impact of Azure policies on other Azure services and features, and adjust the policies as needed to optimize performance and functionality.
- In your specific case, you may need to adjust the "Allowed locations" policy to include the regions where MAU licensing and Cloud Shell are available. You may also need to adjust the "Storage accounts should disable public network access" policy to allow public network access for certain resources or services that require it.
Azure Policy is a powerful tool for managing and governing your Azure resources. However, it can also cause some issues if not configured properly. Here are some best practices that might help you avoid or resolve some of the problems you are facing:
- Use parameters to make your policy definitions more reusable and flexible. For example, you can use a parameter to specify the allowed locations for your resources, instead of hard-coding them in the policy rule
- Keep your policy rules simple and clear. Avoid using complex ARM template functions or logic that might have unintended side effects or conflicts with other policies
- Test your policy definitions and assignments before applying them to production environments. You can use the Azure Policy portal, PowerShell, or CLI to evaluate the compliance status and impact of your policies
- Use custom non-compliance messages to provide more information and guidance to the users who are affected by your policies. You can use the details property in the policy rule to specify the message
- Set up a CI/CD pipeline for your Azure Policy definitions and assignments. This can help you automate the deployment and update of your policies across different environments and scopes. You can use tools like GitHub, Azure DevOps, or Terraform to implement
- Review the recommended policies for Azure services that are provided by Microsoft. These policies cover common scenarios and best practices for different Azure resources, such as virtual machines, storage accounts, and network security groups. You can find them in the Azure portal under the Capabilities tab for each service, or in the Azure Policy documentation
- Follow the standard enterprise governance guidelines that are suggested by the Microsoft Cloud Adoption Framework. These guidelines can help you design and implement a consistent and effective governance strategy for your Azure environment
I hope this helps. Let me know if you have any further questions or concerns.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.