Linkedin-in Youtube Facebook-f

Azure Policy and Management Groups

Azure Policy and Management Groups

Azure Policy and Management Groups

Management Groups

If your organization has several Azure subscriptions, you need a scalable way to manage access, policies, and compliance. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers (management groups) and apply governance controls at that level.

Management groups enable:

  • Organizational alignment for Azure subscriptions using custom hierarchies and groupings
  • Targeting of policies and budgets across subscriptions with inheritance through the hierarchy
  • Compliance and cost reporting aligned to business units or teams

All subscriptions within a management group automatically inherit the conditions applied to that group. For example, you can apply a policy at the management group level that restricts where virtual machines (VMs) can be created. That policy then applies to all subscriptions, resource groups, and resources under that management group.

Creating Management Groups

You can create management groups using:

  • Azure portal
  • PowerShell
  • Azure CLI

Resource Manager templates are not currently supported for creating management groups.

Key properties:

  • Management Group ID: A directory-unique identifier used by Azure to reference the group. This value cannot be changed after creation.
  • Display Name: The name shown in the Azure portal. This can be changed at any time.

Azure Policy

Azure Policy is a service that allows you to create, assign, and manage policies that enforce rules on Azure resources. Policies help ensure resources remain compliant with corporate standards, security requirements, and service-level agreements.

Azure Policy continuously evaluates resources and identifies those that are non-compliant.

Key Advantages

  • Enforcement and compliance
    • Built-in and custom policies for many resource types
    • Real-time and periodic policy evaluation
  • Scale
    • Apply policies at management group, subscription, or resource group scope
    • Combine multiple policies into a single initiative
    • Define exclusions when needed
  • Remediation
    • Automatic remediation for certain policies
    • Remediation for existing, non-compliant resources

Azure Policy is especially important when governing:

  • Multiple engineering teams
  • Multiple subscriptions
  • Standardized configurations
  • Regulatory compliance, cost control, security, or design consistency

Common Azure Policy Use Cases

  • Restrict which resource types can be deployed
  • Limit allowed virtual machine SKUs
  • Restrict deployment locations to meet geo-compliance requirements
  • Enforce required resource tags and values
  • Audit whether Azure Backup is enabled for all virtual machines

Implementing Azure Policy

1. Browse Policy Definitions

A policy definition specifies what to evaluate and what action to take when conditions are met. For example, a policy can prevent VM deployments that expose a public IP address.

Azure provides many built-in policy definitions, organized by category, including:

  • Allowed Virtual Machine SKUs
  • Allowed Locations

Custom policy definitions can be imported from GitHub or created manually using JSON (administrators typically do not need to author JSON directly).

2. Create Initiative Definitions

An initiative definition is a collection of policy definitions designed to achieve a broader compliance goal, such as ensuring a branch office meets security standards.

Best practice: Create initiative definitions even when working with only a few policies.

Notes:

  • An initiative can contain up to 100 policy definitions
  • Planning is important to keep initiatives organized and maintainable

3. Scope the Initiative

Assign the initiative to define where it is enforced:

  • Management group
  • Subscription
  • Resource group

Exclusions can be applied to specific resources, resource groups, or subscriptions.

4. Determine Compliance

Once assigned, Azure Policy evaluates resources approximately once per hour. Resources are marked as:

  • Compliant
  • Non-compliant

Use the Compliance blade in Azure Policy to review:

  • Non-compliant initiatives
  • Non-compliant policies
  • Non-compliant resources

Azure Policy Demonstration (High-Level Steps)

Assign a policy:

  1. Open the Azure portal
  2. Navigate to Policy
  3. Select Assignments
  4. Choose Assign policy
  5. Select the scope
  6. Choose a policy definition (for example, Allowed locations)
  7. Configure parameters
  8. Review and create

Create and assign an initiative:

  1. Go to Definitions
  2. Select + Initiative Definition
  3. Provide name, description, and category
  4. Add one or more policy definitions
  5. Save and assign the initiative

Review compliance and remediation:

  • Use the Compliance blade to review results
  • Use the Remediation blade to review or trigger remediation tasks

Clean up:

  • Remove policy assignments
  • Delete initiative definitions when no longer needed
Linkedin-in Youtube Facebook-f
  • 03304 004 334
  • info@qisltd.co.uk
  • Quantus Information Services Limited
    Unit 5, Minster Court
    Tuscam Way
    Camberley
    Surrey
    GU15 3YY

Pages

Our Services

Subscribe to our Newsletter

Facebook-f Twitter Linkedin-in