Part of azure governance

1. Sits at top of ARM and any CRUD operations have to go through it
2. Can be used for enforcement and audit
3. Start with audit (to figure out how things are being used)
   1. then later you can move to enforcement
4. Uses json format to form the logic
5. Can create a compliance report
6. Historically focused around resource
   1. Recently focusing on actions (DenyActions, e.g. Delete) that one can take on resources
7. Does not apply to existing resources (need to update resource)

How

flowchart LR
	policy --> initiative --> scope

1. Policy is business rules defined in json
2. Set of policies can be grouped into an initiative
3. which is then assigned to a scope (subscription,resource groups,management group or resources)

Example Policy Definition

{
  "properties": {
    "displayName": "Allowed locations",
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.0",
      "category": "Locations"
    },
    "parameters": {
      "allowedLocations": {
        "type": "array",
        "metadata": {
          "description": "The list of locations that can be specified when deploying resources",
          "strongType": "location",
          "displayName": "Allowed locations"
        },
        "defaultValue": [
          "westus2"
        ]
      }
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": "[parameters('allowedLocations')]"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

references:

Azure Policy Azure Policy JSON reference