Is there a way to exclude resource groups that Azure create for AzureBackup from policy assignment ?

Sameed Shaikh 1 Reputation point
2022-06-15T18:02:00.803+00:00

I am using a policy for Tags which prevents "Resource groups" from getting deployed if specified tags will be missing. This causes Azure Backup failure.
I'd like to find a way to automatically exclude resource groups that contain a specific name e.g AzureBackupRG_{region}_{number}, but I can't figure out the logic for that.
Sharing the Policy here:

{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['application']",
"exists": false
},
{
"field": "tags['contact']",
"exists": false
},
{
"field": "tags['createdBy']",
"exists": false
},
{
"field": "tags['status']",
"exists": false
},
{
"not": {
"value": "[resourceGroup().name]",
"like": "AzureBackupRG*"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,496 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,019 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,996 Reputation points Moderator
    2022-06-16T06:19:05.283+00:00

    @Sameed Shaikh Welcome to Microsoft Q & A Community Forum. I understand that you want to exclude the default resource groups that are created by Azure Backup service from tagging. I would recommend you use exclusions via the policy assignments or create exemptions rather modifying the rule. The Azure Policy exemptions feature is used to exempt a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are exempt count toward overall compliance but can't be evaluated or have a temporary waiver. For more information about Policy Exemptions, refer this document.

    To create a new exemption, please go to the assignment or the compliance section and click on "Create Exemption" as highlighted in below image.

    211849-image.png

    You can mention the exemption scope in highlighted area and Click on Create. Regarding the exemption category, you can choose based on your requirement.
    211951-image.png

    211913-image.png

    Please note that there is a limitation that you can select only one scope each exemption.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.