Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Azure Policy definition structure
In this articleAzure Policy establishes conventions for resources. Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value. Resource property fields are accessed by using aliases. When a resource property field is an array, a special array alias can be used to select values from all array members and apply a condition to each one. Learn more about conditions. By defining conventions, you can control costs and more easily manage your resources. For example, you can specify that only certain types of virtual machines are allowed. Or, you can require that resources have a particular tag. Policy assignments are inherited by child resources. If a policy assignment is applied to a resource group, it's applicable to all the resources in that resource group. The policy definition policyRule schema is found here: https://schema.management.azure.com/schemas/2020-10-01/policyDefinition.json You use JSON to create a policy definition. The policy definition contains elements for:
For example, the following JSON shows a policy that limits where resources are deployed:
Azure Policy built-ins and patterns are at Azure Policy samples. Display name and descriptionYou use displayName and description to identify the policy definition and provide context for when it's used. displayName has a maximum length of 128 characters and description a maximum length of 512 characters. Note During the creation or updating of a policy definition, id, type, and name are defined by properties external to the JSON and aren't necessary in the JSON file. Fetching the policy definition via SDK returns the id, type, and name properties as part of the JSON, but each are read-only information related to the policy definition. TypeWhile the type property can't be set, there are three values that are returned by SDK and visible in the portal:
ModeMode is configured depending on if the policy is targeting an Azure Resource Manager property or a Resource Provider property. Resource Manager modesThe mode determines which resource types are evaluated for a policy definition. The supported modes are:
For example, resource We
recommend that you set mode to
Resource Provider modesThe following Resource Provider modes are fully supported:
The following Resource Provider modes are currently supported as a preview:
Note Unless explicitly stated, Resource Provider modes only support built-in policy definitions, and exemptions are not supported at the component-level. The optional Common metadata properties
Note The Azure Policy service uses ParametersParameters
help simplify your policy management by reducing the number of policy definitions. Think of parameters like the fields on a form - Note Parameters may be added to an existing and assigned definition. The new parameter must include the defaultValue property. This prevents existing assignments of the policy or initiative from indirectly being made invalid. Parameter propertiesA parameter has the following properties that are used in the policy definition:
Sample ParametersExample 1As an example, you could define a policy definition to limit the locations where resources can be deployed. A parameter for that policy definition could be allowedLocations. This parameter would be used by each assignment of the policy definition to limit the accepted values. The use of strongType provides an enhanced experience when completing the assignment through the portal:
A sample input for this array-type parameter (without strongType) at assignment time might be ["westus", "eastus2"]. Example 2In a more advanced scenario, you could define a policy that requires Kubernetes cluster pods to use specified labels. A parameter for that policy definition could be labelSelector, which would be used by each assignment of the policy definition to specify Kubernetes resources in question based on label keys and values:
A sample input for this object-type parameter at assignment time would be in JSON format, validated by the specified schema, and might be:
Using a parameter valueIn the policy rule, you reference parameters with the following
This sample references the allowedLocations parameter that was demonstrated in parameter properties. strongTypeWithin the Some resource types not returned by Get-AzResourceProvider are supported. Those types are:
The non resource type allowed values for strongType are:
Definition locationWhile creating an initiative or policy, it's necessary to specify the definition location. The definition location must be a management group or a subscription. This location determines the scope to which the initiative or policy can be assigned. Resources must be direct members of or children within the hierarchy of the definition location to target for assignment. If the definition location is a:
For more information, see Understand scope in Azure Policy. Policy ruleThe policy rule consists of If and Then blocks. In the If block, you define one or more conditions that specify when the policy is enforced. You can apply logical operators to these conditions to precisely define the scenario for a policy. In the Then block, you define the effect that happens when the If conditions are fulfilled.
Logical operatorsSupported logical operators are:
The not syntax inverts the result of the condition. The allOf syntax (similar to the logical And operation) requires all conditions to be true. The anyOf syntax (similar to the logical Or operation) requires one or more conditions to be true. You can nest logical operators. The following example shows a not operation that is nested within an allOf operation.
ConditionsA condition evaluates whether a value meets certain criteria. The supported conditions are:
For less, lessOrEquals, greater, and greaterOrEquals, if the property type doesn't match the condition type, an error is thrown. String comparisons are made using When using the like and notLike conditions, you
provide a wildcard When using the match and notMatch conditions, provide FieldsConditions that evaluate whether the values of properties in the resource request payload meet certain criteria can be formed using a field expression. The following fields are supported:
Note
Note In field expressions referring to [*] alias, each element in the array is evaluated individually with logical and between elements. For more information, see Referencing array resource properties. Use tags with parametersA parameter value can be passed to a tag field. Passing a parameter to a tag field increases the flexibility of the policy definition during policy assignment. In the following example,
ValueConditions that evaluate whether a value meets certain criteria can be formed using a value expression. Values can be literals, the values of parameters, or the returned values of any supported template functions. Warning If the result of a template function is an error, policy evaluation fails. A failed evaluation is an implicit deny. For more information, see avoiding template failures. Use enforcementMode of DoNotEnforce to prevent impact of a failed evaluation on new or updated resources while testing and validating a new policy definition. Value examplesThis policy rule example uses value to compare the result of the
This policy rule example uses value to check if the result of multiple nested functions equals
Avoiding template failuresThe use of template functions in value allows for many complex nested functions. If the result of a template function is an error, policy evaluation fails. A failed evaluation is an implicit deny. An example of a value that fails in certain scenarios:
The example policy rule above uses
substring() to compare the first three characters of name to abc. If name is shorter than three characters, the Instead, use the if() function to check if the first three characters of name equal abc without allowing a name shorter than three characters to cause an error:
With the revised policy rule, CountConditions that count how many members of an array meet certain criteria can be formed using a count expression. Common scenarios are checking whether 'at least one of', 'exactly one of', 'all of', or 'none of' the array members satisfy a condition. Count evaluates each array member for a condition expression and sums the true results, which is then compared to the expression operator. Field countCount how many members of an array in the request payload satisfy a condition expression. The structure of field count expressions is:
The following properties are used with field count:
For more details on how to work with array properties in Azure Policy, including detailed explanation on how the field count expression is evaluated, see Referencing array resource properties. Value countCount how many members of an array satisfy a condition. The array can be a literal array or a reference to array parameter. The structure of value count expressions is:
The following properties are used with value count:
The current functionThe Value count usage
If the value returned by the call is an object, property accessors are supported. For example: Field count usage
Field count examplesExample 1: Check if an array is empty
Example 2: Check for only one array member to meet the condition expression
Example 3: Check for at least one array member to meet the condition expression
Example 4: Check that all object array members meet the condition expression
Example 5: Check that at least one array member matches multiple properties in the condition expression
Example 6: Use
Example 7: Use
Value count examplesExample 1: Check if resource name matches any of the given name patterns.
Example 2: Check if resource name matches any of the given name patterns. The
Example 3: Check if resource name matches any of the given name patterns provided by an array parameter.
Example 4: Check if any of the virtual network address prefixes isn't under the list of approved prefixes.
Example 5: Check that all the reserved NSG rules are defined in an NSG. The properties of the reserved NSG rules are defined in an array parameter containing objects. Parameter value:
Policy:
EffectAzure Policy supports the following types of effect:
For complete details on each effect, order of evaluation, properties, and examples, see Understanding Azure Policy Effects. Policy functionsFunctions can be used to introduce additional logic into a policy rule. They are resolved within the policy rule of a policy definition and within parameter values assigned to policy definitions in an initiative. All Resource Manager template functions are available to use within a policy rule, except the following functions and user-defined functions:
Note These functions are still available within the The following function is available to use in a policy rule, but differs from use in an Azure Resource Manager template (ARM template):
The following functions are only available in policy rules:
Policy function exampleThis policy rule example uses the
Policy rule limitsLimits enforced during authoringLimits to the structure of policy rules are enforced during the authoring or assignment of a policy. Attempts to create or assign policy definitions that exceed these limits will fail.
Limits enforced during evaluationLimits to the size of objects that are processed by policy functions during policy evaluation. These limits can't always be enforced during authoring since they depend on the evaluated content. For example:
The length of the string created by the
Warning Policy that exceed the above limits during evaluation will effectively become a deny policy and can block incoming requests. When writing policies with complex functions, be mindful of these limits and test your policies against resources that have the potential to exceed them. AliasesYou use property aliases to access specific properties for a resource type. Aliases enable you to restrict what values or conditions are allowed for a property on a resource. Each alias maps to paths in different API versions for a given resource type. During policy evaluation, the policy engine gets the property path for that API version. The list of aliases is always growing. To find what aliases are currently supported by Azure Policy, use one of the following methods:
Understanding the [*] aliasSeveral of the aliases that are available have a version that appears as a 'normal' name and another that has [*] attached to it. For example:
The 'normal' alias represents the field as a single value. This field is for exact match comparison scenarios when the entire set of values must be exactly as defined, no more and no less. The [*] alias represents a collection of values selected from the elements of an array resource property. For example:
When used in a field condition, array aliases make it possible to compare each individual array element to a target value. When used with count expression, it's possible to:
For more information and examples, see Referencing array resource properties. Next steps
FeedbackSubmit and view feedback for Additional resourcesAdditional resourcesIn this articleWhich of the following refers to the stages that a neighborhood goes through over time?“life cycle”. Similarly, neighborhoods also experience a life cycle. These cycles include four basic phases: growth, stability, decline and renewal. Occasionally these four stages can happen over a relatively brief period of time, but it usually takes decades.
What type of depreciation is defined as the wear and tear that begins when a building is completed and placed into service?Physical deterioration
The wear and tear that begins when a building is completed and placed into service.
In which appraisal approach is a separate value established for the land?The cost approach can be used to estimate the value of properties that have been improved by one or more buildings. This method involves separate estimates of value for the building(s) and the land, taking into consideration depreciation.
What are the three kinds of depreciation quizlet?The three primary methods of estimating depreciation are:. Age - life method.. Market extraction method (sometimes known as the sales comparison method). Breakdown method (sometimes called the observed condition method). |