Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Policy
  3. Azure Policy Basics
  4. Policy Basics in the Azure Portal

Table of Contents

  • Introduction
  • Using Policy from the portal
  • Testing the Deny policy
  • Finishing up

Policy Basics in the Azure Portal

Use a simple policy to stipulate the permitted regions for your deployed resources.

Introduction

Most organizations don’t want users creating Azure resources in any region. In this lab we’ll specify that resources can only be created in the UK.

Using Policy from the portal

  1. Open the Azure Portal and create a resource group called PolicyLab

  2. Launch Azure Policy

    You may also want to favourite it by selecting All Services, searching for Policy and clicking the star

  3. Select Definitions on the left side of the Azure Policy page

    Definitions are effectively the restriction you want to impose. You can use the built in policies, duplicate and edit them, or create your own from various templates like those on GitHub

  4. In the search text box, type “location” and open up the “Allowed Locations” definition

    Policy Definition Figure 1: Policy Definition

    You can see the definition is a JSON file that needs a list of allowed locations and will cause a deny. You could duplicate this definition and add more checks if needed but we’ll just assign it.

  5. Clicking Assign

    Policy Definition-Allowed Locations Figure 2: Policy Definition - Allowed Locations

    For more details on the policy definition structure see here.

  6. When assigning a policy, we first have to choose the scope, at either:

    • Management Group
    • Subscription
    • Resource Group

    You can think of management groups as a folder hierarchy where subscriptions can be organised.

    Management Groups example Figure 3: Management Group

    The scope chosen will take effect on all child resources below it, but you can add exclusions if needed.

  7. In the Basics section you can change the assignment name and add a description

    Description are definitely recommended when you have a lot of policies.

  8. In the Parameters section choose the allowed locations of UK South and UK West

    As this is a Deny policy there is no need for Managed Identity and we’ll get in to that in a later lab.

  9. Click Assign.

    Policy Definition-Allowed Locations Figure 4: Assigning Allowed Locations Definition

Testing the Deny policy

  1. Now test creating a resource in the PolicyLab resource group with a location outside the UK

    Policy Test-Portal Figure 5: VM deployment failure to non-UK location

  2. Now test creating a resource in the PolicyLab resource group with a location inside the UK and the resource should be deployed as normal

    Policy Test-Portal Figure 7: VM deployment success to UK location

Finishing up

That concludes this lab, where we’ve learnt about applying a policy from the Azure portal. The resources you’ve created will be used in the next lab so don’t delete them yet.

Next we’ll tackle another common requirement, specifying which VM SKUs are allowed to be deployed. We’ll start to automate policy creation too.

Previous Policy Basics in the Azure Portal Creating Policy via the CLI