Quickstart: Create a policy assignment to identify non-compliant resources by using an ARM template

Article
04/25/2023

The first step in understanding compliance in Azure is to identify the status of your resources. This quickstart steps you through the process of using an Azure Resource Manager template (ARM template) to create a policy assignment that identifies virtual machines that aren't using managed disks, and flags them as non-compliant to the policy assignment.

A resource manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Review the template

In this quickstart, you create a policy assignment and assign a built-in policy definition called Audit VMs that do not use managed disks. For a partial list of available built-in policies, see Azure Policy samples.

The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyAssignmentName": {
      "type": "string",
      "defaultValue": "[guid(parameters('policyDefinitionID'), resourceGroup().name)]",
      "metadata": {
        "description": "Specifies the name of the policy assignment, can be used defined or an idempotent name as the defaultValue provides."
      }
    },
    "policyDefinitionID": {
      "type": "string",
      "metadata": {
        "description": "Specifies the ID of the policy definition or policy set definition being assigned."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[parameters('policyAssignmentName')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]",
        "policyDefinitionId": "[parameters('policyDefinitionID')]"
      }
    }
  ]
}

The resource defined in the template is:

Microsoft.Authorization/policyAssignments

Deploy the template

Note

Azure Policy service is free. For more information, see Overview of Azure Policy.

Select the following image to sign in to the Azure portal and open the template:

Select or enter the following values:

Name	Value
Subscription	Select your Azure subscription.
Resource group	Select Create new, specify a name, and then select OK. In the screenshot, the resource group name is mypolicyquickstart<Date in MMDD>rg.
Location	Select a region. For example, Central US.
Policy Assignment Name	Specify a policy assignment name. You can use the policy definition display if you want. For example, Audit VMs that do not use managed disks.
Resource Group Name	Specify a resource group name where you want to assign the policy to. In this quickstart, use the default value [resourceGroup().name]. resourceGroup() is a template function that retrieves the resource group.
Policy Definition ID	Specify /providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a.
I agree to the terms and conditions stated above	(Select)

Select Purchase.

Some other resources:

To find more samples templates, see Azure Quickstart Template.
To see the template reference, go to Azure template reference.
To learn how to develop ARM templates, see Azure Resource Manager documentation.
To learn subscription-level deployment, see Create resource groups and resources at the subscription level.

Validate the deployment

Select Compliance in the left side of the page. Then locate the Audit VMs that do not use managed disks policy assignment you created.

Screenshot of compliance details on the Policy Compliance page.

If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources.

For more information, see How compliance works.

Clean up resources

To remove the assignment created, follow these steps:

Select Compliance (or Assignments) in the left side of the Azure Policy page and locate the Audit VMs that do not use managed disks policy assignment you created.
Right-click the Audit VMs that do not use managed disks policy assignment and select Delete assignment.

Next steps

In this quickstart, you assigned a built-in policy definition to a scope and evaluated its compliance report. The policy definition validates that all the resources in the scope are compliant and identifies which ones aren't.

To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for:

Creating and managing policies