What is: Azure Policy

Compliance is in demand these days, big time! Whether you are a government organization or a big company in the oil industry, you have a lot of guidelines and rules for how you suppose to run your IT. This is a reality for so many people working in IT but if you don’t have the tools to help you, it can be tricky to stay compliant.

With Azure Policy service you can make sure that your resources in Azure is up to code, so to say. If only certain virtual machine sizes are to be used, you can create a policy that will only allow administrators to create those sizes. If there is a default Network Security Group that should be used on all machines, you can define that in a policy. You’re only allowed to use Ubuntu 17.04 or Server 2016? Again, you can create a policy that restricts the types of images your allowed to use.

Get started with Azure Policy

First, like with any Microsoft product, look at the documentation. It’s filled with tips on how to get going using all the tools available to you.

Azure Policies are in JSON-format, as most things are these days. The short summary is that the JSON file contains the policy rule, as well as description and names. If you want a detailed explanation, I’d start off by reading the official documentation.

Let’s look at the example from the documentation:

    "properties": {
        "mode": "all",
        "parameters": {
            "allowedLocations": {
                "type": "array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                "defaultValue": [ "westus2" ]
        "displayName": "Allowed locations",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
        "policyRule": {
            "if": {
                "not": {
                    "field": "location",
                    "in": "[parameters('allowedLocations')]"
            "then": {
                "effect": "deny"

This is an example of a policy that restricts the locations that you can deploy resources to.

As you can see, we create a parameter that is called “allowedLocations”. This is an array that contains the value westus2. I can already see a use for this, now that Norway is getting their own Azure regions and we have rules for storing certain information within the borders of the country.

However, you can see that we have further down a field called “policyRule”. It’s within here we define what happens if things aren’t compliant. In this case if the location of the resource is not what we have defined in our “allowedLocations” parameter, they are denied creating the resource.

Again, I highly recommend that you read the definition structure from the documentation. This is a brief introduction to Azure Policy, but I will absolutely be creating several articles about it.

Roberth Strand's Picture

About Roberth Strand

Cloud consultant working primarily with Microsoft Azure, automation and infrastructure.

Tromsø, Norway https://robstr.dev