Governance

What is an Azure Policy? An Azure Policy is a governance rule applied to Azure resources. It ensures that an environment remains compliant with defined standards: security, naming conventions, allowed regions… There are three key concepts to distinguish. A Policy Definition is the rule itself. It defines what is evaluated and the effect triggered in case of non-compliance. The main effects are: Effect Behavior Audit Logs non-compliance, does not block Deny Blocks resource creation or modification DeployIfNotExists Automatically deploys an associated resource if absent Modify Modifies a property during creation/update Append Adds fields to the resource An Initiative (or PolicySetDefinition) is a grouping of multiple definitions. Rather than assigning each policy one by one, they are grouped into a coherent initiative, for example a security baseline or CIS compliance set. ...

When an Azure Policy blocks a deployment, the error message in Terraform or in the portal often shows the responsible assignment but not always the full detail of the violated rule. Azure Activity Logs keep a complete trace of every denial. Where to look in the portal Activity Logs are accessible from several places: at the subscription level, resource group level, or directly from a resource. To diagnose a Policy Deny, go to Activity Log. ...

The Azure portal offers compliance views for Azure Policies, but they are limited: no advanced cross-subscription filtering, no easy export, no complex criteria combinations. Azure Resource Graph solves this with KQL, the same language as Log Analytics, applied to your Azure resource metadata. What is Azure Resource Graph? Azure Resource Graph is a service that indexes all your Azure resources and their state. It lets you query your entire tenant in seconds, across all subscriptions, using KQL (Kusto Query Language). ...

By default, when an Azure Policy blocks an operation, the returned message is generic and hard to act on. The problem To illustrate this, I created a simple policy that prevents the creation of a public IP address. { "policyRule": { "if": { "field": "type", "equals": "Microsoft.Network/publicIPAddresses" }, "then": { "effect": "Deny" } }, "versions": ["1.0.0"] } The default error looks like this: Resource 'test-pip' was disallowed by policy. (Code: RequestDisallowedByPolicy, Policy(s): deny-public-ip-assignment ...