AZ-400: Designing and Implementing Microsoft DevOps Solutions

Implement Security and Validate Code Bases for Compliance

Delving into Azure Policy

Azure Policy is a core pillar of Azure governance that helps you enforce standards, assess compliance, and remediate drift across your cloud environment. Whether you’re preparing for the AZ-400 exam or architecting a production workload, mastering Azure Policy ensures consistent, automated enforcement of your organizational requirements.

Key Features of Azure Policy

FeatureDescriptionExample
Policy EnforcementApply rules at scale to enforce resource configuration and naming conventionsDeny public IPs on virtual machines
Compliance AssessmentContinuously scan resources and generate compliance reportsAudit VMs without Azure Security Center extensions
Policy LibraryBrowse built-in definitions and initiative templatesISO 27001:2013 initiative template
DevOps IntegrationEmbed policies in CI/CD pipelines using Azure DevOps or GitHub ActionsEnforce tagging policy during ARM template deployment

Note

Use the Policy Library to accelerate adoption—start with Microsoft-managed definitions and customize parameters as needed.


Policy Definitions

A policy definition declares the conditions to evaluate (if block) and the action to take (then block). Definitions are expressed in JSON, making them easy to version and review.

Basic Policy Definition

{
  "policyRule": {
    "$schema": "http://schema.management.azure.com/schemas/2019-09-01/policyDefinition.json#",
    "if": {
      "allOf": [
        {
          "field": "type",
          "in": "[parameters('listOfResourceTypesNotAllowed')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "listOfResourceTypesNotAllowed": {
      "type": "Array",
      "metadata": {
        "description": "Resource types to block",
        "displayName": "Not allowed resource types"
      }
    },
    "effect": {
      "type": "String",
      "allowedValues": [ "Deny", "Audit", "Disabled" ],
      "defaultValue": "Deny",
      "metadata": {
        "description": "Policy enforcement action",
        "displayName": "Effect"
      }
    }
  },
  "version": "1.0.0"
}
  • if block
    Defines the condition to evaluate on resource properties.
  • then block
    Specifies the enforcement action (e.g., Deny, Audit, Disabled).
  • parameters
    Allow you to customize values at assignment time without editing the definition.

Tip

Always reference the latest schema URL to leverage new capabilities and metadata fields.


Compliance Remediation

Azure Policy can automatically remediate non-compliant resources. The following rule adds an existence check before enforcing the effect:

{
  "policyRule": {
    "$schema": "http://schema.management.azure.com/schemas/2019-09-01/policyDefinition.json#",
    "if": {
      "allOf": [
        {
          "field": "type",
          "in": "[parameters('listOfResourceTypesNotAllowed')]"
        },
        {
          "field": "type",
          "exists": true
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "listOfResourceTypesNotAllowed": {
      "type": "Array"
    },
    "effect": {
      "type": "String"
    }
  },
  "version": "2.0.0"
}

This enhanced rule ensures that drifted resources are detected and remediated only when they indeed exist.


Policy Assignment

You can scope policy assignments at the management group, subscription, or resource group level. Use the Azure Portal, Azure CLI, or Azure PowerShell:

ScopeAzure CLIPowerShell
Management Groupaz policy assignment create --name TAG_RG --mg mtg1 --policy ...New-AzPolicyAssignment -Name TAG_RG -Scope /providers/Microsoft.Management/managementGroups/mtg1 -PolicyDefinition ...
Subscriptionaz policy assignment create --name SEC_AUDIT --scope /subscriptions/{subId} --policy ...New-AzPolicyAssignment -Name SEC_AUDIT -Scope /subscriptions/{subId} -PolicyDefinition ...
Resource Groupaz policy assignment create --name TAG_VM --resource-group rg1 --policy ...New-AzPolicyAssignment -Name TAG_VM -Scope /subscriptions/{subId}/resourceGroups/rg1 -PolicyDefinition ...

Warning

Be careful when assigning Deny policies at high-level scopes to avoid unintended disruptions in your production environment.


Azure Policy Initiatives

An initiative (also called a policy set) bundles multiple policy definitions to achieve a broader compliance objective—such as ISO 27001:2013 or PCI DSS. Initiatives simplify management by grouping related policies and tracking their combined compliance status.

The image illustrates Azure Policy initiatives, showing a diagram of policy definitions grouped for a common objective, alongside a list of policies under ISO 27001:2013.

The image is about Azure Policy initiatives, focusing on compliance monitoring, showing a flow from compliance status to goals, and listing policies related to ISO 27001:2013.

The image illustrates the connection between initiatives, scopes, and governance efficiency in Azure Policy, alongside a list of policies under ISO 27001:2013.

The image illustrates Azure Policy initiatives, highlighting the reduction of management overhead and showing a list of policies related to ISO 27001:2013.


Next Steps and References

Mastering Azure Policy definitions, assignments, remediation, and initiatives is key to enforcing governance at scale and maintaining compliance. Dive deeper with these resources:

By embedding Azure Policy into your DevOps pipelines and resource lifecycles, you’ll ensure a secure, compliant, and well-managed Azure environment.

Watch Video

Watch video content

Previous
Exploring Use Cases for Microsoft Defender for Cloud