Azure Policy

Use Azure Policy to automate agent deployments and tagging for your Azure Arc Virtual Machines.



Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.

In the previous challenges, you connected resources to Azure using Azure Arc. Azure Arc virtual machines can be governed by Azure Policy to gain insight into the current compliance state of resources as well as to perform tasks at scale, such as onboarding the virtual machines into Azure Monitor or triggering your own custom scripts using extensions.

In this challenge you will explore using Azure Policy to set up your resource group ready for the next challenge where we’ll onboard multiple on prem servers.


  • Add the following tags to the arc-hack resource group.
    Tag Value
    platform private cloud
    datacentre citadel

Don’t apply any policies for the arc-hack-resources resource group. In fact, try to pretent it doesn’t exist!

Policy - Tags

Tagging on resources is useful for filtering resources, and that is even more important when working at scale.

Let’s use tagging policies to auto-tag the Azure Arc VMs as we onboard multiple VMs in the next challenge.

  • Assign an Azure Policy to inherit the platform and datacentre tags from the resource group

No need to remediate the tagging on the existing resources. We’ll remediate in the next challenge.

Log Analytics

We’ll set up a workspace for Azure Policy to use and configure it to be ready for the scale onboarding.

  • Create a Log Analytics workspace in the arc-hack resource group
  • Configure to collect event and performance data from virtual machines
    • You can configure before you’ve connected VMs
    • System events from the Windows Event Log and syslog from linux
    • Recommended performance counters
    • Ignore events unless they are warning or higher severity level

Policy - Monitor Extensions

Azure Policy is very useful for automatically deploying agents and extensions using the Deploy If Not Exists effect. Well configure an assignment, linked to the workspace you’ve just created, so that newly created Azure Arc VMs will get their Log Analytics and Dependency agents automatically installed.

Policy Initiative

Assign policy at the arc-hack resource group scope to:

  • Deploy the Log Analytics agent to the Azure Arc virtual machines
  • Deploy the Dependency agent to the Azure Arc virtual machines
  • Using the Log Analytics workspace you’ve just created
  • In the remediation tab, specify the region for the identity to be UK South

Hint_: Check the initiatives in the Monitor category.

Assigning a Deploy If Not Exists policy creates an identity for the deployment. Check the policy assignment and you’ll see the managed identity tab and the identity’s role assignments.

Policy evaluation

Policy evaluations are usually triggered within 30 minutes of policy assignment. There are other triggers for an evaluation, as per the links at the bottom of the page. You can also trigger one manually. We’ll do that now so that your Azure Arc VMs, the ones you manually onboarded, are evaluated against your new policies.

  • Trigger a policy evaluation manually

    az policy state trigger-scan --resource-group arc-hack

It can take a while for the VMs to show as non-compliant so feel free to move to the success criteria and onto the next challenge. (We’ll remediate in the next challenge.)

Success criteria

Screen share with your proctor to show that you achieved:

  1. The Log Analytic workspace exists and is configured
  2. The workspace is automatically tagged with the resource group’s tags
  3. The Monitor for VMs policy initiative is assigned and linked to the workspace
  4. The additional RBAC assignment is in place for the policy’s identity


Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

Make a change