Edit

Quickstart: Create a policy assignment to identify non-compliant resources by using a Bicep file

  • Article

The first step in understanding compliance in Azure is to identify the status of your resources. This quickstart steps you through the process of using a Bicep file compiled to an Azure Resource Manager (ARM) deployment template to create a policy assignment to identify virtual machines that aren't using managed disks. At the end of this process, you'll successfully identify virtual machines that aren't using managed disks. They're non-compliant with the policy assignment.

A resource manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template opens in the Azure portal.

Button to deploy the ARM template for assigning an Azure Policy to Azure.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.
  • Bicep version 0.3 or higher installed. If you don't yet have Bicep CLI or need to update, see Install Bicep.

Review the Bicep file

In this quickstart, you create a policy assignment and assign a built-in policy definition called Audit VMs that do not use managed disks. For a partial list of available built-in policies, see Azure Policy samples.

Create the following Bicep file as assignment.bicep:

param policyAssignmentName string = 'audit-vm-manageddisks'
param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'

resource assignment 'Microsoft.Authorization/policyAssignments@2021-09-01' = {
    name: policyAssignmentName
    scope: subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)
    properties: {
        policyDefinitionId: policyDefinitionID
    }
}

output assignmentId string = assignment.id

The resource defined in the file is:

Deploy the template

Note

Azure Policy service is free. For more information, see Overview of Azure Policy.

After the Bicep CLI is installed and file created, you can deploy the Bicep file with:

New-AzResourceGroupDeployment `
  -Name PolicyDeployment `
  -ResourceGroupName PolicyGroup `
  -TemplateFile assignment.bicep

Some other resources:

Validate the deployment

Select Compliance in the left side of the page. Then locate the Audit VMs that do not use managed disks policy assignment you created.

Screenshot of compliance details on the Policy Compliance page.

If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources.

For more information, see How compliance works.

Clean up resources

To remove the assignment created, follow these steps:

  1. Select Compliance (or Assignments) in the left side of the Azure Policy page and locate the Audit VMs that do not use managed disks policy assignment you created.

  2. Right-click the Audit VMs that do not use managed disks policy assignment and select Delete assignment.

    Screenshot of using the context menu to delete an assignment from the Compliance page.

  3. Delete the assignment.bicep file.

Next steps

In this quickstart, you assigned a built-in policy definition to a scope and evaluated its compliance report. The policy definition validates that all the resources in the scope are compliant and identifies which ones aren't.

To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for:

Creating and managing policies