Is there a way to exclude resource groups that Azure create for AzureBackup from policy assignment ?

Question

I am using a policy for Tags which prevents "Resource groups" from getting deployed if specified tags will be missing. This causes Azure Backup failure.
I'd like to find a way to automatically exclude resource groups that contain a specific name e.g AzureBackupRG_{region}_{number}, but I can't figure out the logic for that.
Sharing the Policy here:

{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['application']",
"exists": false
},
{
"field": "tags['contact']",
"exists": false
},
{
"field": "tags['createdBy']",
"exists": false
},
{
"field": "tags['status']",
"exists": false
},
{
"not": {
"value": "[resourceGroup().name]",
"like": "AzureBackupRG*"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

Answer 1

@Sameed Shaikh Welcome to Microsoft Q & A Community Forum. I understand that you want to exclude the default resource groups that are created by Azure Backup service from tagging. I would recommend you use exclusions via the policy assignments or create exemptions rather modifying the rule. The Azure Policy exemptions feature is used to exempt a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are exempt count toward overall compliance but can't be evaluated or have a temporary waiver. For more information about Policy Exemptions, refer this document.

To create a new exemption, please go to the assignment or the compliance section and click on "Create Exemption" as highlighted in below image.

You can mention the exemption scope in highlighted area and Click on Create. Regarding the exemption category, you can choose based on your requirement.

Please note that there is a limitation that you can select only one scope each exemption.