Azure Governance – Policy Automation


In my last post I talked about the possibility to manage “Azure Resource Manager Policies” via the portal. Where the policy is a good location to view the policies, this is not the area you want to be managing your policies! In today’s post, we’ll look how we can automate these things. This to ensure that all policies are effective towards their scope and remain that way. Once your subscriptions grows, you can have way too many resources & resource groups at your hands. Setting up things manually is not the way to go…

Season 5 GIF - Find & Share on GIPHY


Microsoft Azure Enterprise Scaffold

How to do governance in Azure is a very common questions. So if you have found yourself asking questions in regards to that topic, do not feel strange! One of the prime resources I can recommend in this area is the “Microsoft Azure Enterprise Scaffold” ;

The scaffold is based on practices we have gathered from many engagements with clients of various sizes. Those clients range from small organizations developing solutions in the cloud to Fortune 500 enterprises and independent software vendors who are migrating and developing solutions in the cloud. The enterprise scaffold is “purpose-built” to be flexible to support both traditional IT workloads and agile workloads; such as, developers creating software-as-a-service (SaaS) applications based on Azure capabilities.


Technical Demo

For today’s demo, I’ll be using the following Visual Studio Team Services to push the policies via Azure Powershell. Let’s start with the code we’ll be using ;  As a reference, you can find the code at Github Repository (based on). Here you can see a folder called “policydef”, which includes the policies I want to set ;

And also a folder called script which will set them up ;

So far, so good I guess? If we would take a look at some of those templates…

Then we can see this is the JSON-format in which we can configure policy rules. The above example limits my deployments to North & West Europe. Where the second example limits my storage accounts to LRS (Locally Redundant Storage) & GRS (Geographically Redundant Storage).


Now I’ve created a CI/CD pipeline in Visual Studio Team Services that will “build” (test & package) my policies on every change. Afterwards it’ll deploy those policies to my subscriptions.

The above screenshot is from the “Release” (Deploy) part. Where I extract my “artifact”, which is a zip file containing my policies & scripts. Next I’ll clean up all my policies using the “Delete-All-Policy-Assets.ps1”-script and will apply all policies again via the “Policy-Subscription-All.ps1”-script. This to ensure that if something gets removed, that this isn’t left behind.

How does that look when I’m releasing things? My “Policy-Subscription-All.ps1”-script has a $poList parameter, where I configure the list of policies (with the linked policy file) that need to be implemented.

And during the “Release”, all these get applied…

As you can see, there are two “subs(criptions)” defined in the release flow ;

Just so that you can see that the same set of policies can be applied to multiple subscriptions (if wanted). In reality, we often see that there are subscriptions who fully, or partially, share policies. Though it’s possible that each subscription might have an own unique list of policies assigned to it.

Now let’s take a look at the portal to see if these policies got applied… 😉


Smoke Test!

Now let’s see if this works… I’ve started the deployment of a storage account in south east asia. As you might remember, we configured our policy to only allow north & west europe…

And that one failed! When we go see why it failed, it’s showing that this is due to a policy we’ve set. 😉


Closing Thoughts

Setting policies & tags is crucial towards governance in the cloud. Though this is not a process you want to do manually. That would work fine if you have a limited set of resources, but then again, you probably would not need a complex governance structure for that anyway! Is there one single truth on how to automate this? No. I’ve used Visual Studio Team Services for this. Where your organization might want to leverage an existing platform for this. You are free to choose whatever you want on that part! The policy templates can be set via REST API, Powershell or Azure CLI. I guess that’s provides you with ample possibilities in regards to integration. 😉


In the end, you want to have a smooth integration which is automated and provides you with the needed overview towards the compliance!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.