Azure Policy definitions effect basics
Each policy definition in Azure Policy has a single effect
in its policyRule
. That effect
determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.
The following are the supported Azure Policy definition effects:
- addToNetworkGroup
- append
- audit
- auditIfNotExists
- deny
- denyAction
- deployIfNotExists
- disabled
- manual
- modify
- mutate
Interchanging effects
Sometimes multiple effects can be valid for a given policy definition. Parameters are often used to specify allowed effect values (allowedValues
) so that a single definition can be more versatile during assignment. However, it's important to note that not all effects are interchangeable. Resource properties and logic in the policy rule can determine whether a certain effect is considered valid to the policy definition. For example, policy definitions with effect auditIfNotExists
require other details in the policy rule that aren't required for policies with effect audit
. The effects also behave differently. audit
policies assess a resource's compliance based on its own properties, while auditIfNotExists
policies assess a resource's compliance based on a child or extension resource's properties.
The following list is some general guidance around interchangeable effects:
audit
,deny
, and eithermodify
orappend
are often interchangeable.auditIfNotExists
anddeployIfNotExists
are often interchangeable.manual
isn't interchangeable.disabled
is interchangeable with any effect.
Order of evaluation
Azure Policy's first evaluation is for requests to create or update a resource. Azure Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. For a Resource Manager mode, Azure Policy processes several of the effects before handing the request to the appropriate Resource Provider. This order prevents unnecessary processing by a Resource Provider when a resource doesn't meet the designed governance controls of Azure Policy. With a Resource Provider mode, the Resource Provider manages the evaluation and outcome and reports the results back to Azure Policy.
disabled
is checked first to determine whether the policy rule should be evaluated.append
andmodify
are then evaluated. Since either could alter the request, a change made might prevent an audit or deny effect from triggering. These effects are only available with a Resource Manager mode.deny
is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented.audit
is evaluated.manual
is evaluated.auditIfNotExists
is evaluated.denyAction
is evaluated last.
After the Resource Provider returns a success code on a Resource Manager mode request, auditIfNotExists
and deployIfNotExists
evaluate to determine whether more compliance logging or action is required.
PATCH
requests that only modify tags
related fields restricts policy evaluation to policies containing conditions that inspect tags
related fields.
Layering policy definitions
Several assignments can affect a resource. These assignments might be at the same scope or at different scopes. Each of these assignments is also likely to have a different effect defined. The condition and effect for each policy is independently evaluated. For example:
- Policy 1
- Restricts resource location to
westus
- Assigned to subscription A
- Deny effect
- Restricts resource location to
- Policy 2
- Restricts resource location to
eastus
- Assigned to resource group B in subscription A
- Audit effect
- Restricts resource location to
This setup would result in the following outcome:
- Any resource already in resource group B in
eastus
is compliant to policy 2 and non-compliant to policy 1 - Any resource already in resource group B not in
eastus
is non-compliant to policy 2 and non-compliant to policy 1 if not inwestus
- Policy 1 denies any new resource in subscription A not in
westus
- Any new resource in subscription A and resource group B in
westus
is created and non-compliant on policy 2
If both policy 1 and policy 2 had effect of deny, the situation changes to:
- Any resource already in resource group B not in
eastus
is non-compliant to policy 2 - Any resource already in resource group B not in
westus
is non-compliant to policy 1 - Policy 1 denies any new resource in subscription A not in
westus
- Any new resource in resource group B of subscription A is denied
Each assignment is individually evaluated. As such, there isn't an opportunity for a resource to slip through a gap from differences in scope. The net result of layering policy definitions is considered to be cumulative most restrictive. As an example, if both policy 1 and 2 had a deny
effect, a resource would be blocked by the overlapping and conflicting policy definitions. If you still need the resource to be created in the target scope, review the exclusions on each assignment to validate the right policy assignments are affecting the right scopes.
Next steps
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for