📖 What is Azure Policy?
Azure Policy enforces organizational standards and assesses compliance at scale. It defines rules and effects for Azure resources, enabling automated enforcement of policies related to cost, security, and regulatory compliance. Policies can audit, deny, modify, or deploy resources.
"Focus on the different policy 'effects' (Audit, Deny, DeployIfNotExists, Modify). Understand how policies are assigned to scopes and how they interact with resource deployment. Distractors often involve confusing Policy with Azure Blueprints, which are more complex template deployments."
📚 Certification: Microsoft Azure Fundamentals (AZ-900)
🔑 What are the Key Concepts of Azure Policy?
- ▸ Azure Policy uses 'effects' to determine how a policy is enforced: Audit logs non-compliance, Deny prevents creation, and DeployIfNotExists adds resources.
- ▸ Policies are assigned to specific 'scopes' (management groups, subscriptions, or resource groups) to define where the rules apply.
- ▸ Built-in policies offer pre-defined rules for common compliance needs, while custom policies allow for tailored enforcement based on specific requirements.
- ▸ Policy definitions separate the *what* (rule logic) from the *where* (assignment scope), promoting reusability and centralized management.
- ▸ Initiatives group multiple policy definitions, simplifying the assignment of related policies for comprehensive governance.
🎯 How does Azure Policy appear on the AZ-900 Exam?
You may be asked to identify the correct Azure Policy effect to use when you want to flag non-compliant resources without preventing their creation.
A scenario might describe a company needing to ensure all storage accounts are created with encryption enabled – determine which policy and effect would achieve this.
Expect questions about the scope of a policy assignment; understanding how policies inherit down the management group/subscription hierarchy is crucial.
❓ Frequently Asked Questions
What's the difference between Azure Policy and Azure Blueprints?
Azure Policy enforces rules on resources, while Blueprints package pre-defined resources and configurations for repeatable deployments. Blueprints are more complex and involve resource templates.
Can I use Azure Policy to automatically remediate non-compliant resources?
While 'DeployIfNotExists' can *create* missing resources, full remediation often requires using Policy with automation tools like Logic Apps or Azure Automation runbooks.
If a resource is denied creation by a policy, can I override it?
Generally, no. Policy is designed for enforcement. However, exceptions can be made by modifying the policy assignment or excluding specific resources from the scope.