- Ensure resources are compliant with a set of rules.
- Manage your policies in a centralized location where you can track their compliance status and verify the non-compliant resources.
- Select between built-in policies and custom policies.
- Implement proper guardrails and assess compliance across the organization
- Policy vs. RBAC
- A policy maintains compliance with the resource state, while RBAC focuses on controlling user actions at different scopes.
- Even if the user has access to perform an action, if the result is a non-compliant resource, the policy will still block the create or update option.
- JSON format is used to create a policy.
- You can manage the evaluation and outcome with resource provider, and the results are reported to Azure Policy.
- Policy order of evaluation: Disabled, Append/Modify, Deny and Audit
- Azure Policy effects:
- Append – add additional fields to the requested resource.
- Audit – a warning event for a non-compliant resource.
- AuditIfNotExists – audit the resources when the condition is met.
- Deny – prevents the request before being sent to the Resource Provider.
- DeployIfNotExists – if the condition is met, it allows you to execute a template deployment.
- Disabled – allows you to disable a single assignment, rather than disabling all assignments under that policy.
- Modify – manage tags of resources.
- Determine the assigned resources with policy assignments.
Azure Policy vs Azure Role-Based Access Control (RBAC):