When a policy definition is assigned to a scope, Azure Policy determines which resources in that scope should be considered for compliance evaluation. A resource is only assessed for compliance if it's considered applicable to the given policy assignment.
Conditions in the if block of the policy rule are evaluated for applicability in slightly different ways based on the effect.
Примітка
Applicability is different from compliance, and the logic used to determine each is different. If a resource is applicable that means it is relevant to the policy. If a resource is compliant that means it adheres to the policy. Sometimes only certain conditions from the policy rule impact applicability, while all conditions of the policy rule impact compliance state.
Resource Manager modes
ifNotExists policy effects
The applicability of AuditIfNotExists and DeployIfNotExists policies is based off the entire if condition of the policy rule. When the if evaluates to false, the policy isn't applicable.
All other policy effects
Azure Policy evaluates only type, name, and kind conditions in the policy rule if expression and treats other conditions as true (or false when negated). If the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable.
Following are special cases to the previously described applicability logic:
Scenario
Result
Any invalid aliases in the if conditions
The policy isn't applicable
When the if conditions consist of only kind conditions
The policy is applicable to all resources
When the if conditions consist of only name conditions
The policy is applicable to all resources
When the if conditions consist of only type and kind conditions
Only type conditions are considered when deciding applicability
When the if conditions consist of only type and name conditions
Only type conditions are considered when deciding applicability
When the if conditions consist of type, kind, and other conditions
Both type and kind conditions are considered when deciding applicability
When the if conditions consist of type, name, and other conditions
Both type and name conditions are considered when deciding applicability
When any conditions (including deployment parameters) include a location condition
Isn't applicable to subscriptions
Resource provider modes
Microsoft.Kubernetes.Data
The applicability of Microsoft.Kubernetes.Data policies is based off the entire if condition of the policy rule. When the if evaluates to false, the policy isn't applicable.
Microsoft.KeyVault.Data, Microsoft.ManagedHSM.Data, Microsoft.DataFactory.Data, and Microsoft.MachineLearningServices.v2.Data
Policies with these resource provider modes are applicable if the type condition of the policy rule evaluates to true. The type refers to component type.
Policies with mode Microsoft.Network.Data are applicable if the type and name conditions of the policy rule evaluate to true. The type refers to component type:
Microsoft.Network/virtualNetworks
Not Applicable Resources
There could be situations in which resources are applicable to an assignment based on conditions or scope, but they shouldn't be applicable due to business reasons. At that time, it would be best to apply exclusions or exemptions. To learn more on when to use either, review scope comparison
Примітка
By design, Azure Policy does not evaluate resources under the Microsoft.Resources resource provider from policy evaluation, except for subscriptions and resource groups.
Azure Policy initiatives are a collection of Azure policy definitions that are grouped together toward a specific goal or purpose. By consolidating multiple Azure policies into a single item, Azure Policy initiatives allow centralized control and enforcement of configurations across Azure resources.