Last updated on March 18, 2023
Implemented Management Groups
Created custom RBAC roles
Assigned RBAC roles
What are Azure management groups?
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups; the governance conditions you apply cascade by inheritance to all associated subscriptions.
Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have. However, all subscriptions within a single management group must trust the same Azure Active Directory (Azure AD) tenant.
For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all nested management groups, subscriptions, and resources, and allow VM creation only in authorized regions.
Lets do that
You can customize a lot, here it is just a basic policy
Now the policy is 100% since it has not run yet, it takes some time, all rgs are missing the
value World, so all should be non compliant.
Now non are compliant, correct.
Create new rg
Lets add Tag:Environment and Value:Qa
And the result
Assign a policy to enforce a condition for resources you create in the future
Now that you’ve assigned a built-in policy definition, you can do more with Azure Policy. Next, create a new custom policy.
Create and assign an initiative definition to track compliance for multiple resources (Not done here, just for show)
With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies.
Select + Initiative Definition at the top of the page to open the Initiative definition wizard.
When it is refreshed?
Azure Policy evaluates resource compliance automatically every 24 hours for already assigned policies or initiatives. New policy or initiative assignments start the evaluation after the assignment has been applied to the defined scope which might take up to 30 minutes.
On-demand evaluation scan – Azure PowerShell
The compliance scan is started with the Start-AzPolicyComplianceScan cmdlet.
$job = Start-AzPolicyComplianceScan -AsJob # view job status $job
Id Name PSJobTypeName State HasMoreData Location Command — —- ————- —– ———– ——– ——- 2 Long Running O… AzureLongRunni… Running True localhost Start-AzPolicyCompliance…
When the job is done, the compliance is updated.
Correct, 4 rg are missing the specified tags