0
0
Azurecloud~5 mins

Policy assignments and compliance in Azure - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Azure Policy helps you make sure your cloud resources follow rules you set. Policy assignments apply these rules to groups of resources. Compliance shows if your resources follow the rules or not.
When you want to make sure all virtual machines use approved sizes to save costs.
When you need to block creation of storage accounts without encryption for security.
When you want to check if all resources have tags for billing and management.
When you want to enforce that only certain regions are used for resource deployment.
When you want to get reports on how well your resources follow company policies.
Commands
This command assigns a policy named 'enforce-vm-size' that restricts virtual machine sizes to allowed options within the 'myResourceGroup' resource group.
Terminal
az policy assignment create --name enforce-vm-size --policy "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/allowed-vm-sizes" --scope "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup"
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Authorization/policyAssignments/enforce-vm-size", "name": "enforce-vm-size", "properties": { "displayName": "enforce-vm-size", "policyDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/allowed-vm-sizes", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup" }, "type": "Microsoft.Authorization/policyAssignments" }
--name - Sets the name of the policy assignment.
--policy - Specifies the policy definition to assign.
--scope - Defines where the policy applies, here a resource group.
This command shows a summary of compliance states for all policy assignments under the 'myManagementGroup' management group.
Terminal
az policy state summarize --management-group myManagementGroup
Expected OutputExpected
{ "results": [ { "policyAssignmentName": "enforce-vm-size", "compliantResources": 5, "nonCompliantResources": 2 } ] }
--management-group - Specifies the management group to check compliance for.
This command lists the top 3 resources that are not compliant with assigned policies, helping you find issues quickly.
Terminal
az policy state list --filter "IsCompliant eq false" --top 3
Expected OutputExpected
[ { "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/vm1", "policyAssignmentName": "enforce-vm-size", "complianceState": "NonCompliant" }, { "resourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/vm2", "policyAssignmentName": "enforce-vm-size", "complianceState": "NonCompliant" } ]
--filter - Filters results to show only non-compliant resources.
--top - Limits the number of results returned.
Key Concept

If you remember nothing else from this pattern, remember: policy assignments apply rules to resources, and compliance shows if those rules are followed.

Common Mistakes
Using the wrong scope when assigning a policy, like assigning to a subscription but expecting it to apply only to a resource group.
The policy applies to the entire subscription, affecting more resources than intended.
Specify the exact scope, such as a resource group, using the --scope flag.
Not checking compliance after assigning a policy.
You won't know if resources are following the policy or if action is needed.
Run compliance commands like 'az policy state summarize' to monitor policy effects.
Filtering compliance results incorrectly, causing no resources to show up.
Using wrong filter syntax or values returns empty results.
Use correct OData filter syntax, e.g., "IsCompliant eq false".
Summary
Assign policies to specific scopes to enforce rules on Azure resources.
Use compliance commands to check which resources follow or break the policies.
Filter compliance results to quickly find and fix non-compliant resources.