Governing Azure and Staying Compliant using Azure Policies

Azure Governance includes not only identifying business and compliance standards, planning of the initiatives, defining Organizations goals in clear and standard way, but it also includes the implementation of same. Often times, getting them implemented in the proper and timely manner has long proven the hardest step to complete. There is no easy way to know if the Organizational goals and initiatives are getting implemented, what is not compliant and what actions can be taken to mitigate the drift created. For some sectors like finance industry, if the IT is not able to align to and follow the compliance and regulatory standards, it can become disastrous. This is the part where Azure Policy fits in to the picture.

Azure policy is a service from Microsoft Azure which can be used to define, apply and manage policies related to IT governance for Azure Resources. You can use Azure Policies to not only define, but also enforce different rules and effects, so that the Azure resources stay compliant with your corporate standards and service level agreements and with audits.

Azure Policies also provide the detailed compliance reports of the Azure Resources and it is available regardless of the pricing tier. So no longer you need to worry about collecting data about compliance status.

Difference Between Azure Policy and RBAC

RBAC or Role Based Access Control is an authorization system built on the top of the Azure Resource Manager. RBAC focuses on controlling access for user actions at a particular scope. However Azure Policy focuses on controlling the properties of the resources during deployment and for already existing resources.

Also, RBAC is a default deny and explicitly allow system. So other than the creator of an Azure Resource, which gets Owner rights, no one has access to the said Azure Resource by default. It needs to be explicitly granted by the resource owner. However, Azure Policies is a default allow system which means that one is allowed to set the properties of Azure Resources as he/she fit to the requirements. Azure Policies are set to limit the resource properties that can be configured and to certain values and/or deny configuring certain resource properties.

Configuring RBAC Permissions for Azure Policies

Many Built-in roles grant permission to Azure Policy resources. The Resource Policy Contributor role includes most Azure Policy operations. Owner has full rights. Both Contributor and Reader can use all read Azure Policy operations, but Contributor can also trigger remediation.

Scope of Azure Policy

Azure Policies can be applied at the Management Group, Subscription and Resource Group level. Applying Azure policies at the Management Group level allows you to create and configure policies across one or more subscriptions. The policies are then inherited to all the children resources. So an policy applied at the resource group level will also apply to the resources created in the said resource group. However, you can exclude a subscope from the policy assignment.

For example, you can create an Azure policy to deny creation of virtual networks at the subscription level. However, you can create an Azure policy to allow creation of virtual networks and apply it to specific resource group in the subscription. This way the owners and contributors in that specific resource group would be able to create virtual networks and not anywhere else in the subscription.

Built-in Azure Policy

The process of creating and implementing the Compliance is to by create a Azure Policy and then assigning an scope to it. An Azure Policy begins with creating a policy definition. A policy definition defines the conditions under which it will be enforced and the defined effect that takes place if the conditions are met. There are several built-in policies made available by Microsoft and that makes it easy to get started with the Azure Policies.

Azure Policy begins with creating a policy definition. Every policy definition has conditions under which it’s enforced. And, it has a defined effect that takes place if the conditions are met.

In Azure Policy, Microsoft offers several built-in policies that are available by default:

using built-in azure policies

As you can see, there are close to 300 policies which are available to start with, as of writing of this blog post.

Assigning Azure Policies

To assign an Azure Policy, one first need to go to All Services -> Search for ‘Policy’ and then selecting it:

search for azure policy and select the same

After this, select ‘Assignments’ on the left side of the Azure Policy page:

select assignment from left panel

An assignment is a policy that has been assigned to take place within a specific scope. After this, select Assign Policy:

select assign policy from assignment page

On the Assign Policy page, select the policy scope by clicking the ellipsis and selecting either a management group / subscription / resource group. Optionally, select a resource group. We’ll leave this to subscription level in our case.

Once the scope is defined, click on the ellipsis next for the policy definition field and select the Azure Policy, that you want to apply. Here, you can filter the policy definition Type to Built-in to view all and read their descriptions.

For our case, we would select a built-in Azure Policy titled ‘Secure transfer to storage accounts should be enabled’:

select the built in azure policy

The Assignment name is automatically populated with the policy name you selected, but you can change it. You can also add an optional Description, which we will leave empty for our case. The description is used to provide details about this policy assignment. Assigned by is automatically filled based on who is logged in. This field is optional, so custom values can be entered.

After this, click Assign.

Check Compliance Status for Azure Policies

To check the compliance status for Azure policies, we need to select the ‘Compliance’ in the left side of the Azure policies page:

select compliance from azure policy blade

If you have created the Azure Policy or initiative few moments ago, it will be in the compliance status of ‘Not Started’. You’ll need to wait for some time to get it updated. Once its updated, the compliance page is updated with the Compliance state of Compliant or Non-Compliant depending on how Azure Resources are provisioned in the scope assigned:

viewing results of azure policies

Summary and Notes

Effective Azure Governance requires not only designing and planning of the Organization goals and initiatives but also implementation of the same. At the same time, one needs a mechanism to pull out the compliance report from time to time, in order to be able to access the compliance status and take remediation actions. Azure Policies are very effective way of not only defining the Organizational Strategy and initiatives but also getting them implemented effortlessly.

One thought on “Governing Azure and Staying Compliant using Azure Policies

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s