Azure Policy has many effects that determine how the service reacts to
non-compliant resources. Some effects are simple and require no additional properties in the policy
definition while others require several properties.
Sample 1: Simple effect
This policy definition checks to see whether the tag defined in parameter tagName exists on the
evaluated resource. If the tag doesn't yet exist, the modify effect
is triggered to add the tag with the value in parameter tagValue.
JSON
{
"properties": {
"displayName": "Add a tag to resource groups",
"policyType": "BuiltIn",
"mode": "All",
"description": "Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}]
}
}
}
}
}
A modify effect requires the policyRule.then.details block that defines
roleDefinitionIds and operations. These parameters inform Azure Policy what roles are needed
to add the tag and remediate the resource and which modify operation to use. In this example,
the addoperation and the parameters are used to set the tag and its value.
Sample 2: Complex effect
This policy definition audits each virtual machine for when an extension, defined in parameters
publisher and type, doesn't exist. It uses
auditIfNotExists to check a resource related to the
virtual machine to see whether an instance exists that matches the defined parameters. This example
checks the extensions type.
JSON
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "audit-vm-extension",
"properties": {
"displayName": "Audit if extension does not exist",
"description": "This policy audits if a required extension doesn't exist.",
"parameters": {
"publisher": {
"type": "String",
"metadata": {
"description": "The publisher of the extension",
"displayName": "Extension Publisher"
}
},
"type": {
"type": "String",
"metadata": {
"description": "The type of the extension",
"displayName": "Extension Type"
}
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"MicrosoftWindowsServer"
]
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"WindowsServer"
]
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/extensions",
"existenceCondition": {
"allOf": [{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "[parameters('publisher')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "[parameters('type')]"
}
]
}
}
}
}
}
}
An auditIfNotExists effect requires the policyRule.then.details block to define both a
type and the existenceCondition to look for. The existenceCondition uses policy language
elements, such as logical operators, to
determine whether a matching related resource exists. In this example, the values checked against
each alias are defined in parameters.
Azure Policy initiatives are a collection of Azure policy definitions that are grouped together toward a specific goal or purpose. By consolidating multiple Azure policies into a single item, Azure Policy initiatives allow centralized control and enforcement of configurations across Azure resources.