Is there a way to exclude resource groups that Azure create for AzureBackup from policy assignment ?

asked 2022-06-15T18:02:00.803+00:00
Sameed Shaikh 1 Reputation point

I am using a policy for Tags which prevents "Resource groups" from getting deployed if specified tags will be missing. This causes Azure Backup failure.
I'd like to find a way to automatically exclude resource groups that contain a specific name e.g AzureBackupRG_{region}_{number}, but I can't figure out the logic for that.
Sharing the Policy here:

{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['application']",
"exists": false
},
{
"field": "tags['contact']",
"exists": false
},
{
"field": "tags['createdBy']",
"exists": false
},
{
"field": "tags['status']",
"exists": false
},
{
"not": {
"value": "[resourceGroup().name]",
"like": "AzureBackupRG*"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
774 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
506 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-16T06:19:05.283+00:00
    Swathi Dhanwada 9,381 Reputation points Microsoft Employee

    @Sameed Shaikh Welcome to Microsoft Q & A Community Forum. I understand that you want to exclude the default resource groups that are created by Azure Backup service from tagging. I would recommend you use exclusions via the policy assignments or create exemptions rather modifying the rule. The Azure Policy exemptions feature is used to exempt a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are exempt count toward overall compliance but can't be evaluated or have a temporary waiver. For more information about Policy Exemptions, refer this document.

    To create a new exemption, please go to the assignment or the compliance section and click on "Create Exemption" as highlighted in below image.

    211849-image.png

    You can mention the exemption scope in highlighted area and Click on Create. Regarding the exemption category, you can choose based on your requirement.
    211951-image.png

    211913-image.png

    Please note that there is a limitation that you can select only one scope each exemption.