Azure Policy pattern: field properties

The field operator evaluates the specified property or alias to a provided value for a given condition.

Sample policy definition

This policy definition enables you to define allowed regions that meet your organization's geo-location requirements. The allowed resources are defined in parameter listOfAllowedLocations (array). Resources that match the definition are denied.

{
    "properties": {
        "displayName": "Allowed locations",
        "policyType": "BuiltIn",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
        "mode": "Indexed",
        "parameters": {
            "listOfAllowedLocations": {
                "type": "Array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources.",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "location",
                        "notIn": "[parameters('listOfAllowedLocations')]"
                    },
                    {
                        "field": "location",
                        "notEquals": "global"
                    },
                    {
                        "field": "type",
                        "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
                    }
                ]
            },
            "then": {
                "effect": "Deny"
            }
        }
    }
}

Explanation

    "if": {
        "allOf": [{
                "field": "location",
                "notIn": "[parameters('listOfAllowedLocations')]"
            },
            {
                "field": "location",
                "notEquals": "global"
            },
            {
                "field": "type",
                "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
            }
        ]
    },
    "then": {
        "effect": "Deny"
    }
}

The field operator is used three times within the logical operator allOf.

• The first use evaluates the location property with the notIn condition to the listOfAllowedLocations parameter. notIn works as it expects an array and the parameter is an array. If the location of the created or updated resource isn't in the approved list, this element evaluates to true.
• The second use also evaluates the location property, but uses the notEquals condition to see if the resource is global. If the location of the created or updated resource isn't global, this element evaluates to true.
• The last use evaluates the type property and uses the notEquals condition to validate the resource type isn't Microsoft.AzureActiveDirectory/b2cDirectories. If it isn't, this element evaluates to true.

If all three condition statements in the allOf logical operator evaluate true, the resource creation or update is blocked by Azure Policy.

Next steps

• Review other patterns and built-in definitions.
• Review the Azure Policy definition structure.
• Review Understanding policy effects.