![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 35%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Azure Backup
An Azure backup service that provides built-in management at scale.
1,244 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Diwakar Ambi (Accenture),
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are asking for guidance on how to create a custom policy in Azure to enforce governance. Also, you would like to ensure that all snapshots taken of the operating system (OS) and data disks of these VMs are full snapshots and use Standard Locally Redundant Storage (LRS).
Solution
To create a custom Azure Policy that ensures snapshots of Azure VMs are taken as full snapshots and use Standard Locally Redundant Storage (LRS), you can define a policy definition that enforces these conditions.
The first step is to:
Create a Custom Policy Definition.
As seen in the above image: Go to the Azure Portal. Navigate to "Policy" from the left-hand menu > Expand the Authoring (If not expanded) > Click on "Definitions" and then Click "+ Policy definition" to create a new custom policy.
Secondly, Define the Policy.
Provide the require parameters:
- Name: Give your policy a name, for example, "Enforce Standard LRS for VM Snapshots".
- Description: Provide a description of what the policy does.
- Category: Choose an existing category or create a new one.
https://learn.microsoft.com/learn/modules/build-cloud-governance-strategy-azure/?WT.mc_id=APC-Policy
Thirdly, use the following JSON for the "Policy Rule" in the CODE BOX as seen in the image.
{
"properties": {
"displayName": "Enforce Standard LRS for VM Snapshots",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that all VM snapshots are taken as full snapshots and use Standard LRS storage.",
"metadata": {
"category": "Compute"
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/snapshots"
},
{
"field": "Microsoft.Compute/snapshots/creationType",
"exists": "true"
}
]
},
"then": {
"effect": "AuditIfNotExists",
"details": {
"type": "Microsoft.Compute/snapshots",
"name": "[field('name')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/snapshots/storageAccountType",
"equals": "Standard_LRS"
},
{
"field": "Microsoft.Compute/snapshots/incremental",
"equals": "false"
}
]
}
}
}
}
}
}
Fourth step is to: Click "Save" to create the policy definition.
Lastly, assign the Policy.
As it shown in the image: Navigate to "Assignments" under the "Policy" section > Click "+ Assign policy" > In the "Basics" tab, select the scope (subscription or resource group) where you want to apply this policy. > In the "Policy definition" field, search for and select the custom policy you just created. > Configure any additional settings as needed and click "Review + create".
NOTE:
This policy will audit any snapshot that does not meet the specified criteria (full snapshot and Standard LRS). If you want to enforce this policy to deny the creation of non-compliant snapshots, you can change the effect in the policy rule from AuditIfNotExists to Deny.
"then": {
"effect": "Deny"
}
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam