Compliance Enforcement with Azure Policy

Did you know that by the end of 2024, an estimated 85% of organizations will have faced at least one cloud security incident?

This alarming statistic underscores the pressing need for robust security and compliance measures in the cloud. While the cloud offers unparalleled flexibility, productivity gains, and cost savings, it also exposes organizations to a myriad of sophisticated cyber threats.

As businesses increasingly migrate to cloud environments, the stakes have never been higher. Enter Azure Policy, the unsung hero in the battle for compliance within the cloud.

In this blog, we’ll dive deep into the heart of Azure Policy. We’ll explore how it works, how to create custom policies, and how to use its power across your cloud landscape.

Let’s get started!

Understanding Azure policy

What is Azure policy?

Azure policy isn’t just a set of guidelines; it’s a guardian—a vigilant overseer of your cloud environment. Imagine it as the cosmic constitution, defining the rules by which your resources must abide. Here’s the essence:

  • Creation: Create custom policies tailored to your organization’s needs. These policies define what’s acceptable and what’s forbidden within your Azure cosmos.
  • Assignment: Assign the policies to specific scopes—be it a subscription, resource group, or management group. Think of it as distributing commandments to various star systems.
  • Enforcement: Ensure compliance by continuously monitoring your resources. The policies help keep the compliance of your resources on track.

The role of initiatives

  • Grouping Policies: Initiatives bundle policies together, creating a cohesive framework.
  • Scalability and Consistency: Initiatives allow you to apply a set of policies across multiple subscriptions or resource groups. When you need to ensure uniformity, initiatives are your go-to resource.
  • Hierarchy of Control: They oversee your fleet of policies, making sure alignment with organizational goals. If one policy misbehaves, the entire initiative takes corrective action.

Why do initiatives matter?

Initiatives streamline governance. Here’s why they’re essential:

  • Holistic approach: Initiatives promote a holistic view of compliance. Rather than micromanaging each policy, you focus on broader objectives.
  • Reusability: Once you’ve fine-tuned an initiative, you can launch it across different parts of your Azure universe. Consistency becomes your cosmic currency.
  • Collaboration: Initiatives encourage collaboration among star systems (read: departments or teams). Everyone adheres to the same celestial playbook.

Why Azure Policy Matters?

Today, data flows seamlessly across virtual landscapes, and maintaining compliance is similar to taming a beast. Azure Policy is Microsoft’s answer to the compliance conundrum. It’s the rulebook that makes sure your cloud resources play by the rules.

Whether safeguarding sensitive customer data or orchestrating a galaxy of virtual machines, Azure Policy keeps your house in order.

Here’s why it matters:

  1. The compliance quandary: Organizations grapple with a labyrinth of evolving compliance standards. From GDPR to CCPA, the alphabet soup of regulations keeps growing. Azure Policy helps you stay on the right side of the law, even as the rules shift beneath your feet.
  2. Diverse resources, one mandate: Imagine managing a bustling marketplace where each vendor speaks a different language. That’s the challenge of diverse cloud resources—virtual machines, databases, containers, etc. Azure Policy unifies them under a common banner, enforcing consistency and compliance.
  3. The COVID-19 accelerator: The pandemic turbocharged cloud adoption. Suddenly, remote work became the norm, and organizations scrambled to provision resources at warp speed. But haste often sacrifices security. Azure Policy steps in, making sure that speed doesn’t compromise safety.

Creating custom policies

Creating custom policies tailored to specific organizational needs in Azure involves a few key steps:

  1. Identify your requirements:
    1. Understand your organization’s compliance, security, and operational needs.
    2. Consider factors such as data protection, access controls, resource naming conventions, and network security.
  2. Choose the right scope:
    1. Decide where the policy should apply, whether at the subscription, resource group, or management group level.
    2. Scopes define the boundaries within which the policy rules will be enforced.
  3. Craft your policy definition:
    1. Policies are defined using JSON (JavaScript Object Notation).
    2. Specify the conditions (if) and the desired effect (then) in your policy definition.
  4. Choose the right parameters:
    1. Customize your policy by adjusting parameters such as allowed locations, tag requirements, or resource types.
    2. For example, you can allow virtual machines only in specific regions or enforce specific tags on resources.
  5. Assign the policy:
    1. Assign the policy to the appropriate scope (subscription, resource group, or management group).
    2. Monitor the compliance status to ensure the policy is being enforced.
  6. Test and refine:
    1. Test the policy in a non-production environment before enforcing it.
    2. Refine the policy based on feedback and real-world scenarios.

Custom policies allow organizations to tailor their Azure environment to their specific needs, ensuring compliance, security, and efficient resource management.

Crafting Policies with JSON

  1. JSON as the blueprint:
    1. JSON (JavaScript Object Notation) serves as the blueprint for Azure policies.
    2. It’s a lightweight, human-readable format that allows organizations to express their rules succinctly.
    3. Think of it as the cosmic language for defining what’s allowed and what’s forbidden.
  2. Conditions and effects:
    1. In JSON, organizations define conditions (the “if” part) and the desired effect (the “then” part).
  3. Targeting specific resources:
    1. JSON policies are like cosmic laser beams—precise and focused.
    2. Organizations specify the resource type they want to address. In the example above, it’s storage accounts.
    3. This granularity ensures that policies apply only where needed.

Why JSON matters?

  1. Customization: JSON allows organizations to tailor policies to their exact needs. Whether it’s virtual machines, databases, or interstellar communication relays, they can fine-tune policies accordingly.
  2. Agility: JSON policies adapt as the Azure universe evolves. When new resource types emerge, organizations adjust their JSON rules without cosmic upheaval.
  3. Consistency: By expressing policies in JSON, organizations maintain a consistent language across their entire cloud galaxy.

Assigning policies

Here’s how policies are assigned to different scopes within your Azure environment:

  1. Resource level:
    1. You can assign policies directly to individual resources at the most granular level. For example, you might enforce a policy that requires all storage accounts to have encryption enabled.
    2. This approach is useful when you want to target specific resources with unique requirements.
  2. Resource Group level:
    1. Resource groups act as containers for related resources. You can assign policies to an entire resource group.
    2. When you assign a policy at the resource group level, it applies to all resources within that group. For instance, you could enforce consistent tagging across all resources in a specific project.
  3. Subscription level:
    1. At the subscription level, policies apply to all resources within that subscription.
    2. This is helpful for enforcing organization-wide rules. For example, you might ensure that all virtual machines have backup enabled.
  4. Management group level:
    1. Management groups allow you to organize subscriptions into hierarchies.
    2. When you assign a policy at the management group level, it cascades down to all subscriptions and resources within those subscriptions.
    3. Useful for enforcing policies consistently across multiple subscriptions—for instance, ensuring compliance across all development, testing, and production environments.

Impact of policy assignments

  1. Resource provisioning:
    1. Preventive guardrails: When policies are assigned, they act as preventive guardrails during resource provisioning.
    2. Enforcement during creation: For example, if a policy prohibits the creation of virtual machines without encryption, any attempt to provision a non-compliant virtual machine will be blocked at the outset.
    3. Consistent resource setup: Policies ensure that new resources adhere to organizational standards, reducing the risk of misconfiguration.
  2. Resource management:
    1. Ongoing compliance monitoring: Policies continuously monitor existing resources. If a resource configuration violates a policy, it triggers alerts or corrective actions.
    2. Automated remediation: Policies can automatically remediate non-compliant resources. For instance, if a storage account lacks encryption, the policy can enable it without manual intervention.
    3. Consistency: Policies maintain uniformity across resources, even as the Azure universe expands. Whether it’s tagging conventions, access controls, or network rules, policies keep everything aligned.

Compliance reporting and remediation

Azure Policy provides valuable compliance reports that help organizations enforce standards and assess compliance at scale.

Here are some key points about the value of compliance reports from Azure Policy:

  1. Insights and controls: Azure Policy offers insights and controls over resources in a subscription or management group of subscriptions.
    1. Location enforcement: Prevent resources from being created in incorrect locations.
    2. Tag consistency: Enforce consistent tag usage across resources.
    3. Configuration auditing: Audit existing resources to ensure appropriate configurations and settings.
  2. Compliance data: Get data to understand the state of compliance in your environment. You can access this information through various methods:
    1. Azure portal: View compliance data directly in the Azure portal.
    2. Command line scripting: Retrieve compliance information using command-line tools.
    3. Azure monitor logs: Access compliance results through Azure Monitor logs.
    4. Azure resource graph queries: Query compliance data using Azure Resource Graph.
  3. Evaluation triggers: Compliance information is updated based on evaluation cycles triggered by events such as:
    1. Assigning a new policy or initiative to a scope.
    2. Updating an existing assignment.
    3. Deploying or updating resources within a scope.
    4. Creating or moving a subscription within a management group hierarchy.
  4. Sample query: To get compliance data by policy assignment, you can use this Azure Resource Graph query.

How to remediate non-compliant resources automatically?

To automate the remediation of non-compliant resources using Azure Policy, use the “Create a remediation task” checkbox in the Azure portal.

Here’s how:

  1. Navigate to the Azure portal and search for Policy.
  2. Select Remediation on the left-hand side.
  3. Choose a policy of the type deployIfNotExists that has non-compliant resources.
  4. On the New remediation task page, filter the resources to be remediated to limit what the task applies to.
  5. Check the box labeled Create a remediation task. This will automatically correct any resources that are evaluated as NonCompliant after the policy assignment is created.

Please note: Automatic remediation only works on new resources. For resources that were created before the policy was enabled, you can manually remediate them through the Azure Policy Option Remediate within the Azure Portal.

For a more advanced setup, you can also check Azure Policy compliance status and remediate non-compliant resources via Azure DevOps Pipelines. This allows you to integrate the remediation process into your CI/CD pipeline, providing a more automated and streamlined approach.

Remember, it’s important to regularly review and update your policies and remediation tasks to ensure they’re effectively managing your resources.

Best Practices

Here are some best practices for effective policy management in Azure:

  1. Start simple: Don’t rush. Start with a few key policies and expand gradually. This way, you can understand the impact of each policy and adjust accordingly.
  2. Test policies: Always test your policies in a non-production environment first. This can help you avoid unexpected issues in your production workloads.
  3. Use exemptions sparingly: Exemptions can be handy, but use them wisely. Know when and why to exempt certain resources from policies. Too many exemptions can lead to less effective policy enforcement and potential security risks.
  4. Monitor and review: Regularly check your compliance reports and adjust your policies as needed. Azure Policy provides detailed compliance reports that can help you understand the current state of your resources and identify any non-compliant resources.
  5. Automate when possible: Use Azure Policy’s automatic remediation capabilities whenever possible. This can help ensure that non-compliant resources are corrected quickly.
  6. Update policies regularly: As your cloud environment changes, your policies should too. Regularly review and update your policies to ensure they remain relevant and effective.

Remember, managing policies effectively is an ongoing process that requires regular review and adjustment.


Azure Policy is a key tool for maintaining a secure and compliant cloud environment. It helps you manage and enforce your organization’s rules and standards.

One of its standout features is the ability to automatically correct non-compliant resources, making compliance management much simpler.

Starting small with Azure Policy is a good approach. You can begin with a few policies and expand as you understand their impact. Regular checks on compliance reports and updates to your policies ensure they stay effective and relevant.

It’s a tool that can greatly enhance your cloud management strategy, ensuring a more secure and compliant environment. Remember, managing policies effectively is an ongoing process. So, start your journey with Azure Policy today and step up your cloud security and compliance game!

Still in doubt?

Connect to an Azure Expert MSP today to make your IT world compliant and secure.


Let's get in touch and tackle your business challenges together.


We are Microsoft Solutions Partner for Security.


Rest assured. We've got you.