Azure Policy glossary
The term policy is used widely in virtually every industry and is associated with many use cases. Azure Policy has specific vocabulary and applications that are not to be confused with policy embedded in other contexts.
This glossary provides definitions and descriptions of terms used by Azure Policy.
A field used in policy definitions that maps to a resource property.
Describes the relevance of resources that are considered for assessment against a policy. A resource is considered applicable to a policy when it resides within the scope of the policy assignment, is not excluded or exempt from the policy assignment, and meets the conditions specified in the
if block of the policy rule.
A JSON-defined object that determines the resources to which a policy definition is applied. Learn more about the policy assignment JSON structure here: Azure Policy assignment structure.
A service that enables users to govern Azure resources by enforcing organizational standards and assessing compliance at scale.
Describes a type of policy definition that is available by default and generated by Azure Resource Providers. It is the alternative to a custom policy definition. View the list of available built-in policy definitions.
Metadata property in the policy definition that classifies the definition based on its area of focus. The category often indicates the resource provider of the target resource (For example: Compute, Storage, Monitoring).
Describes a resource's adherence to applicable policies. Can be compliant, non-compliant, exempt, conflict, not started, or protected. Learn more about how compliance works.
A compliance state which indicates that a resource conformed to the policy rule in the policy definition.
Another term used for group, specifically in the context of regulatory compliance.
Describes a type of policy definition that is authored by a policy user. It is the alternative to a built-in policy definition.
A JSON-defined object that describes a policy, including resource compliance requirements and the effect to take if they are violated. Learn more about the policy definition JSON structure here: Azure Policy definition structure.
The scope to which an initiative definition or policy definition can be assigned. It can be either a management group or a subscription, and assignments can be made at or below that scope in the hierarchy.
The action taken on a resource when the conditions of an applicable policy's rule are met. Learn more about effects.
Describes the preventative behavior that certain types of policy effects can have.
A property of a policy assignment that allows users to enable or disable enforcement of certain policy effects like deny, while still evaluating for compliance and providing logs.
Describes the process of scanning resources in the cloud environment to determine applicability and compliance of assigned policies.
An incident or outcome when something changes in Azure Policy, available for integration with Event Grid. Example events include instances in which a policy state is created, changed, or deleted. See available event types for Azure Policy.
Also referred to as NotScopes; A property in the policy assignment which eliminates child resource containers or child resources from the assignment so they are not considered for compliance evaluation. Excluded scopes do not appear on the Azure portal Compliance blade. Learn more about excluded scopes.
A compliance state which indicates that a resource is covered by an exemption.
A JSON-defined object that eliminates a resource hierarchy or an individual resource from evaluation. Resources that are exempt count toward overall compliance, but are not evaluated. Learn more about the exemption JSON structure here: Azure Policy exemption structure.
A sub-collection of policy definition IDs within an initiative definition.
A system-assigned or user-assigned managed identity used for remediation in Azure Policy. Learn more about managed identities.
Also known as a policy set. A type of policy definition consisting of a collection of policy definition IDs. Used to centralize multiple policy definitions with a common goal that can share parameters, identities and be managed in a single assignment.
Property on the policy definition that determines which resource types are evaluated for a policy definition. It is configured depending on whether the policy is targeting an Azure Resource Manager (ARM) property defined in an ARM template or a Resource Provider (RP) property.
A compliance state which indicates that a resource did not conform to the policy rule in the policy definition.
The component of a policy definition that describes resource compliance requirements through logic-based conditional statements, as well as the effect taken if those conditions are not met. It is composed of an
if block and
Describes the aggregated compliance state of a policy assignment
Describes a specific type of initiative that allows grouping of policies into controls and categorization of policies into compliance domains based on responsibility (Customer, Microsoft, Shared). There are many sample Regulatory Compliance built-ins, and customers have the ability to create their own. Learn more about Regulatory Compliance.
Regulatory Compliance is a Preview feature.
A JSON-defined object that, when triggered, corrects resources violating policies with deployIfNotExists or modify effects. Remediation is only automatic for resources during creation or update. Existing resources must be remediated by triggering a remediation task. Learn how to remediate non-compliant resources.
The extent or area to which a policy is relevant, as described by Azure Resource Manager (ARM). It determines the set of resources that an assignment applies to, and may be a subscription, management group, resource group, or resource. Learn more about scope in Azure Policy.
The component of a policy definition used to define the constraint template. Specific to Azure Policy for Kubernetes clusters.
To get started with Azure Policy, see What is Azure Policy?.