AZ-104 Microsoft Azure Administrator Exam

Define and Assign Azure Policies

Introduction to Azure Policies

Azure Policy is an essential service within Azure that helps ensure organizations meet their standards and remain compliant on a large scale. It offers a compliance dashboard that provides an overview of the environment's overall state, allowing detailed evaluations at both the individual resource and policy level. One of its powerful features is the ability to remediate non-compliant resources by utilizing bulk remediation for existing resources and automatic remediation for new resources.

Common Use Cases

Azure Policy is useful for several scenarios, including:

• Resource Consistency: Guaranteeing that resources are only deployed to specific allowed regions.
• Regulatory Compliance: Enforcing adherence to industry regulations.
• Security: Ensuring that resources send diagnostic logs to a Log Analytics workspace.
• Cost Management: Implementing measures to control costs efficiently.
• Management: Applying consistent tags for easy taxonomy within Azure.

Policy Definitions

Policy definitions in Azure use JSON format to specify conditions and effects. These definitions comprise metadata and rules that incorporate functions, parameters, logical operators, conditions, and property aliases tailored to match distinct scenarios. To enhance management, multiple business rules can be grouped into a policy initiative or policySet, simplifying complex rule administration.

Assigning Policies

Policies are assigned across various scopes, including management groups, subscriptions, resource groups, or individual resources. This assignment impacts all resources within the defined scope, with options to exclude certain subscopes when necessary. Resource compliance is evaluated at critical times during their lifecycle, the policy assignment lifecycle, and regular compliance assessments.

Evaluation Outcomes

Resources undergo compliance checks at designated times:

• During creation or updating when covered by a policy.
• When a new policy or initiative is assigned.
• Upon updates of existing policies or initiatives.
• Every 24 hours as part of the regular compliance evaluation cycle.

Handling Non-Compliant Resources

Organizations can employ different strategies to address non-compliant resources:

• Deny: Refusing changes to the resource.
• Log: Recording the changes to the resource.
• Modify: Adjusting the resource pre or post-change.
• Deploy: Adding related compliant resources.
• Block: Preventing specific actions concerning resources.

Recommendations for Managing Policies

When handling policies, consider these helpful tips:

• Begin with an audit effect to monitor policy implications before enforcement.
• Define policies at higher hierarchical levels (e.g., management group or subscription) and assign them at more specific child levels.
• Use initiative definitions to bundle related policies for streamlined management.
• Manage Azure Policy resources like code, ensuring manual reviews on amendments.

Special Permissions

To handle Azure Virtual Network Manager dynamic group policies, specific Azure RBAC permissions are necessary. Make sure users have the required permissions to create, edit, or delete these policies effectively.

Conclusion

Azure Policy is pivotal for upholding organizational standards and sustaining compliance across resources on Azure. Through careful definition and assignment of policies, organizations can proficiently manage resources, uphold compliance standards, and automate the remediation of non-compliant assets.