Skip to main content

Overview

Azure Policy enforces compliance on Azure resources at the resource provider level. Policies evaluate resource properties during creation, updates, and on a regular compliance cycle, ensuring resources meet organizational standards.

Capabilities

  • Enforce compliance at the Azure subscription or management group level
  • Multiple effects: Deny, Audit, Modify, Append, DeployIfNotExists, AuditIfNotExists, DenyAction, and Disabled
  • Built-in and custom policy definitions
  • Initiative (policy set) grouping for compliance standards

Limitations

  • Requires an Azure subscription
  • Only applicable to Azure cloud environments — check out AWS SCP for AWS environments

Generated Format

  • Language: JSON
  • Structure: Azure Policy definition with policyRule containing if/then conditions
  • Execution: Applied via Azure Portal, CLI, ARM templates, Bicep, Terraform, or REST API

Example Guardrail

{
  "properties": {
    "displayName": "Require minimum TLS 1.2 on storage accounts",
    "policyType": "Custom",
    "mode": "All",
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
            "notEquals": "TLS1_2"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Learn more at Azure Policy documentation and policy definition structure.