Skip to content

Az Lab 02a Management groups (policy and initiative definition)

Last updated on March 18, 2023

AZ-104-MicrosoftAzureAdministrator/ at master · MicrosoftLearning/AZ-104-MicrosoftAzureAdministrator · GitHub

Implemented Management Groups
Created custom RBAC roles
Assigned RBAC roles

What are Azure management groups?

Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Learn

If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups; the governance conditions you apply cascade by inheritance to all associated subscriptions.

Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have. However, all subscriptions within a single management group must trust the same Azure Active Directory (Azure AD) tenant.

For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all nested management groups, subscriptions, and resources, and allow VM creation only in authorized regions.

Lets do that


Create policy

Tutorial: Build policies to enforce compliance – Azure Policy | Microsoft Learn

You can customize a lot, here it is just a basic policy

Created below

Now the policy is 100% since it has not run yet, it takes some time, all rgs are missing the

tag Hello

value World, so all should be non compliant.

Now non are compliant, correct.

Create new rg

And result:

Update rg

Lets add Tag:Environment and Value:Qa

And the result

Assign a policy to enforce a condition for resources you create in the future


Now that you’ve assigned a built-in policy definition, you can do more with Azure Policy. Next, create a new custom policy.

Create and assign an initiative definition to track compliance for multiple resources (Not done here, just for show)

With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies.

Select + Initiative Definition at the top of the page to open the Initiative definition wizard.

When it is refreshed?

Azure Policy evaluates resource compliance automatically every 24 hours for already assigned policies or initiatives. New policy or initiative assignments start the evaluation after the assignment has been applied to the defined scope which might take up to 30 minutes.

Get policy compliance data – Azure Policy | Microsoft Learn

On-demand evaluation scan – Azure PowerShell
The compliance scan is started with the Start-AzPolicyComplianceScan cmdlet.

$job = Start-AzPolicyComplianceScan -AsJob

# view job status

Id Name PSJobTypeName State HasMoreData Location Command — —- ————- —– ———– ——– ——- 2 Long Running O… AzureLongRunni… Running True localhost Start-AzPolicyCompliance…

When the job is done, the compliance is updated.

Correct, 4 rg are missing the specified tags


Published inazurelab