Azure Services

Kusto Query Language (KQL) for Azure Resource Graph

Azure Graph is a powerful tool provided by Microsoft to query data across all your Azure resources. It uses the Kusto Query Language (KQL), a read-only language similar to SQL, designed to query vast amounts of data in Azure services.

What is KQL?

KQL stands for Kusto Query Language. It's a request to process data and return results. The syntax is easy to read and author, making it ideal for data exploration and ad-hoc data mining tasks.

Using KQL with Azure Graph

Azure Graph allows you to use KQL to create complex queries that fetch information from your Azure resources. You can filter, sort, aggregate, and join data from different resources using KQL.

Here's an example of how you might use KQL to query Azure Graph:

Resources
| where type =~ 'microsoft.web/sites'
| project name, location, resourceGroup

This query retrieves all Azure Web Apps (websites) and projects their name, location, and resourceGroup.

Key Characteristics of KQL

1. Case Sensitivity: Unlike SQL, KQL is case-sensitive. So 'Name' and 'name' would be considered different identifiers.
2. Schema-Free: Kusto (Azure Data Explorer) doesn't require a fixed schema, allowing storage of diverse types of data.
3. Extensibility: While KQL has a wide array of functions, you can also create custom functions as per your needs.

Common Operators in KQL

• | : This operator creates a pipeline where the output of one command becomes the input of another.
• where : Filters rows based on specified conditions.
• summarize : Groups rows and calculates aggregate expressions.
• join : Combines rows from two tables based on a common column.
• project : Selects specific columns from the input.
• extend : Adds new columns to the input.
• order by : Sorts rows based on specified columns.

KQL Query Examples

1. List all Azure resources in a subscription

Resources

2. List all Azure resources in a resource group

Resources
| where resourceGroup == 'myResourceGroup'

3. List all Azure resources of a specific type

Resources
| where type =~ 'Microsoft.Compute/virtualMachines'

Pagination in KQL

KQL supports pagination using the limit and offset operators. You can use these operators to control the number of rows returned and skip a certain number of rows.

Resources
| limit 10
| offset 5

If you exceed payload limits, you can paginate Azure Resource Graph query results with powershell:

$kqlQuery = "policyResources | where type =~'Microsoft.Authorization/PolicySetDefinitions' or type =~'Microsoft.Authorization/PolicyDefinitions' | project definitionId = tolower(id), category = tostring(properties.metadata.category), definitionType = iff(type =~ 'Microsoft.Authorization/PolicysetDefinitions', 'initiative', 'policy'),PolicyDefinition=properties"

$batchSize = 5
$skipResult = 0

[System.Collections.Generic.List[string]]$kqlResult

while ($true) {

  if ($skipResult -gt 0) {
    $graphResult = Search-AzGraph -Query $kqlQuery -First $batchSize -SkipToken $graphResult.SkipToken
  }
  else {
    $graphResult = Search-AzGraph -Query $kqlQuery -First $batchSize
  }

  $kqlResult += $graphResult.data

  if ($graphResult.data.Count -lt $batchSize) {
    break;
  }
  $skipResult += $skipResult + $batchSize
}

Best Practices for Writing KQL Queries

1. Use project to Select Columns: Only select the columns you need to reduce the amount of data returned.
2. Use where to Filter Rows: Apply filters to reduce the number of rows processed.
3. Use summarize to Aggregate Data: Aggregate data to reduce the number of rows returned.
4. Use join to Combine Data: Combine data from different tables using the join operator.
5. Use order by to Sort Data: Sort data based on specific columns to make it easier to read.

Limitations of KQL

1. No DDL Operations: KQL doesn't support Data Definition Language (DDL) operations like creating tables or indexes.
2. No DML Operations: KQL doesn't support Data Manipulation Language (DML) operations like inserting, updating, or deleting data.
3. Limited Data Types: KQL has a limited set of data types compared to SQL.
4. No Transactions: KQL doesn't support transactions, so you can't group multiple operations into a single transaction.

Conclusion

KQL is a potent tool for querying large datasets in Azure. Its SQL-like syntax makes it accessible for anyone familiar with SQL, and its rich set of features makes it a flexible solution for a variety of data processing needs. Practice writing KQL queries to uncover valuable insights from your Azure resources!

References

• SQL to Kusto Query Language cheat sheet
• Demo for play

Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

Azure Policy useful queries

Policy assignments and information about each of its respective definitions

// Policy assignments and information about each of its respective definitions
// Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.

policyResources
| where type =~'Microsoft.Authorization/PolicyAssignments'
| project policyAssignmentId = tolower(tostring(id)), policyAssignmentDisplayName = tostring(properties.displayName), policyAssignmentDefinitionId = tolower(properties.policyDefinitionId)
| join kind=leftouter(
 policyResources
 | where type =~'Microsoft.Authorization/PolicySetDefinitions' or type =~'Microsoft.Authorization/PolicyDefinitions'
 | project definitionId = tolower(id), category = tostring(properties.metadata.category), definitionType = iff(type =~ 'Microsoft.Authorization/PolicysetDefinitions', 'initiative', 'policy')
) on $left.policyAssignmentDefinitionId == $right.definitionId

• Original Gist

List SubscriptionId and SubscriptionName

ResourceContainers
| where type =~ 'microsoft.resources/subscriptions'
| project subscriptionId, subscriptionName=name

List ManagementGroupId and ManagementGroupName

ResourceContainers
| where type =~ 'microsoft.management/managementgroups'
| project mgname = name, displayName = properties.displayName

Policy assignments and information about each of its respective definitions displaying the scope of the assignment, the subscription display name, the management group id, the resource group name, the definition type, the assignment name, the category of the definition, and the policy assignment ID.

policyResources
| where type =~'Microsoft.Authorization/PolicyAssignments'
| project policyAssignmentId = tolower(tostring(id)), policyAssignmentDisplayName = tostring(properties.displayName), policyAssignmentDefinitionId = tolower(properties.policyDefinitionId), subscriptionId = tostring(subscriptionId),resourceGroup=tostring(resourceGroup), AssignmentDefinition=properties
| join kind=leftouter(
    policyResources
    | where type =~'Microsoft.Authorization/PolicySetDefinitions' or type =~'Microsoft.Authorization/PolicyDefinitions'
    | project definitionId = tolower(id), category = tostring(properties.metadata.category), definitionType = iff(type =~ 'Microsoft.Authorization/PolicysetDefinitions', 'initiative', 'policy'),PolicyDefinition=properties
) on $left.policyAssignmentDefinitionId == $right.definitionId
| extend scope = iff(policyAssignmentId contains '/subscriptions/', 'Subscription', iff(policyAssignmentId contains '/providers/microsoft.management/managementgroups', 'Management Group', 'Resource Group'))
| join kind=leftouter (ResourceContainers
| where type =~ 'microsoft.resources/subscriptions'
| project subscriptionId, subscriptionName=name) on $left.subscriptionId == $right.subscriptionId
| extend SubscriptionDisplayName = iff(isnotempty(subscriptionId), subscriptionName, '')
| extend ManagementGroupName = iff(policyAssignmentId contains '/providers/microsoft.management/', split(policyAssignmentId, '/')[4],'')
| extend resourceGroupDisplayName = iff(isnotempty(resourceGroup), resourceGroup, '')
| project ManagementGroupName,SubscriptionDisplayName,resourceGroupDisplayName, scope,definitionType,policyAssignmentDisplayName, category,policyAssignmentId, AssignmentDefinition, PolicyDefinition

• Add Management Group Display Name

How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

In this demo we will show how to use Azure ARC-enabled servers with managed identity to access to Azure Storage Account.

Prerequisites

• An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.

Required permissions

You'll need the following Azure built-in roles for different aspects of managing connected machines:

• To onboard machines, you must have the Azure Connected Machine Onboarding or Contributor role for the resource group where you're managing the servers.
• To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator role for the resource group.
• To select a resource group from the drop-down list when using the Generate script method, you'll also need the Reader role for that resource group (or another role that includes Reader access).

Register Azure resource providers

To use Azure Arc-enabled servers with managed identity, you need to register the following resource providers:

az account set --subscription "{Your Subscription Name}"
az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'
az provider register --namespace 'Microsoft.HybridConnectivity'
az provider register --namespace 'Microsoft.AzureArcData'

Networking requirements

The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. In this demo, we have use Azure Private Link.

Azure ARC-enabled enabled server

We use Use Azure Private Link to securely connect networks to Azure Arc-enabled servers to achieve this.

Some tips:

• If you have any issue registerin de VM: generate a script to register a machine with Azure Arc following that instructions here

• If you have an error that says "Path C:\ProgramData\AzureConnectedMachineAgent\Log\himds.log is busy. Retrying..." you can use the following command to resolve it if you know that you are doing:

 (get-wmiobject -class win32_product | where {$_.name -like "Azure *"}).uninstall() 

$Env:PEname = "myprivatelink"
$Env:resourceGroup = "myResourceGroup"
$file = "C:\Windows\System32\drivers\etc\hosts"

$gisfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query '[0].privateDnsZoneConfigs[0].recordSets[0].fqdn' -o json).replace('.privatelink','').replace("`"","")
$gisIP = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[0].ipAddresses[0] -o json).replace("`"","")
$hisfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[1].fqdn -o json).replace('.privatelink','').replace("`"","")
$hisIP = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[1].ipAddresses[0] -o json).replace('.privatelink','').replace("`"","")
$agentfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[0].fqdn -o json).replace('.privatelink','').replace("`"","")
$agentIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[0].ipAddresses[0] -o json).replace('.privatelink','').replace("`"","")
$gasfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[1].fqdn -o json).replace('.privatelink','').replace("`"","")
$gasIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[1].ipAddresses[0] -o json).replace('.privatelink','').replace("`"","")
$dpfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[2].recordSets[0].fqdn -o json).replace('.privatelink','').replace("`"","")
$dpIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[2].recordSets[0].ipAddresses[0] -o json).replace('.privatelink','').replace("`"","")

$hostfile += "$gisIP $gisfqdn"
$hostfile += "$hisIP $hisfqdn"
$hostfile += "$agentIP $agentfqdn"
$hostfile += "$gasIP $gasfqdn"
$hostfile += "$dpIP $dpfqdn"

Storage Account configuration

Create a Storage Account with static website enabled

$resourceGroup = "myResourceGroup"
$location = "eastus"
$storageAccount = "mystorageaccount"
$indexDocument = "index.html"
az group create --name $resourceGroup --location $location
az storage account create --name $storageAccount --resource-group $resourceGroup --location $location --sku Standard_LRS
az storage blob service-properties update --account-name $storageAccount --static-website --index-document $indexDocument

Add private endpoints to the storage accoun for blob and static website

$resourceGroup = "myResourceGroup"
$storageAccount = "mystorageaccount"
$privateEndpointName = "myprivatelink"
$location = "eastus"
$vnetName = "myVnet"
$subnetName = "mySubnet"
$subscriptionId = "{subscription-id}"
az network private-endpoint create --name $privateEndpointName --resource-group $resourceGroup --vnet-name $vnetName --subnet $subnetName --private-connection-resource-id "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount" --group-id blob --connection-name $privateEndpointName --location $location
az network private-endpoint create --name $privateEndpointName --resource-group $resourceGroup --vnet-name $vnetName --subnet $subnetName --private-connection-resource-id "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount" --group-id web --connection-name $privateEndpointName --location $location

Disable public access to the storage account except for your ip

$resourceGroup = "myResourceGroup"
$storageAccount = "mystorageaccount"
$ipAddress = "myIpAddress"
az storage account update --name $storageAccount --resource-group $resourceGroup --bypass "AzureServices,Logging,Metrics" --default-action Deny
az storage account network-rule add --account-name $storageAccount --resource-group $resourceGroup --ip-address $ipAddress

Assign the Storage Blob Data Contributor role to the managed identity of the Azure ARC-enabled server

$resourceGroup = "myResourceGroup"
$storageAccount = "mystorageaccount"
$serverName = "myserver"
$managedIdentity = az resource show --resource-group $resourceGroup --name $serverName --resource-type "Microsoft.HybridCompute/machines" --query "identity.principalId" --output tsv
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id $managedIdentity --scope "/subscriptions/{subscription-id}/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount"

Download azcopy, install it and copy something to $web in the storage account

Download azcopy in the vm

Invoke-WebRequest -Uri "https://aka.ms/downloadazcopy-v10-windows" -OutFile AzCopy.zip

Expand-Archive AzCopy.zip -DestinationPath $env:ProgramFiles

$env:Path += ";$env:ProgramFiles\azcopy"

Copy something to $web in the storage account

$storageAccount = "mystorageaccount"
$source = "C:\Users\Public\Documents\myFile.txt"
$destination = "https://$storageAccount.blob.core.windows.net/\$web/myFile.txt"
azcopy login --identity
azcopy copy $source $destination

Now you can check the file in the static website of the storage account.

Azure ARC

Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

Azure ARC Overview

Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

Azure ARC enables you to:

• Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
• Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
• Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
• Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

Azure ARC Components

Azure ARC consists of the following components:

• Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
• Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
• Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
• SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
• Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

Azure ARC Use Cases

Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

• Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
• Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
• Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
• Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

Getting Started with Azure ARC

To get started with Azure ARC, you need to:

1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

Conclusion

Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

For more information on Azure ARC, visit the Azure ARC documentation.

Azure Policy Management Best Practices

1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

Writing Your First Policy in Azure with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first policy in Azure.

Prerequisites

1. An active Azure subscription.
2. Access to Azure portal.

Step 1: Open Azure Policy

• Login to the Azure Portal.
• In the left-hand menu, click on All services.
• In the All services blade, search for Policy.

Step 2: Create a New Policy Definition

• Click on Definitions under the Authoring section.
• Click on + Policy definition.

Step 3: Fill Out the Policy Definition

You will need to fill out several fields:

• Definition location: The location where the policy is stored.
• Name: This is a unique name for your policy.
• Description: A detailed description of what the policy does.
• Category: You can categorize your policy for easier searching and filtering.

The most important part of the policy definition is the policy rule itself. The policy rule is where you describe the logic that enforces the policy.

Here's an example of a simple policy rule that ensures all indexed resources have tags and deny creation or update if they do not.

{
    "properties": {
        "displayName": "Require a tag and its value",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy requires a specific tag and its value.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        },
        "policyRule": {
            "if": {
                "not": {
                    "field": "[concat('tags[', parameters('tagName'), ']')]",
                    "equals": "[parameters('tagValue')]"
                    }
                },
            "then": {
                "effect": "deny"
            }
        }
    }

But, in portal, you can add properties directly in the form but you can't add displayName, policyType and metadata because they are added by portal itself, so you can add only mode,parameters and policyRule, Policy definition could be like this:

• Definition location: Tenant Root Group
• Name: Require a tag and its value
• Description: This policy requires a specific tag and its value.
• Category: Tags
• POLICY RULE:

{

        "mode": "Indexed", 
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "not": {
                    "field": "[concat('tags[', parameters('tagName'), ']')]",
                    "equals": "[parameters('tagValue')]"
                    }
                },
            "then": {
                "effect": "deny"
            }
        }
}

Once you've filled out all the fields and written your policy rule, click on Save.

Step 4: Assign the Policy

• Go back to the Policy service in the Azure portal.
• Click on Assignments under the Authoring section.
• Click on + Assign Policy.
• In Basics, fill out the following fields:
  • Scope
    • Scope: Select the scope where you want to assign the policy.
    • Exclusions: Add any exclusions if needed.
  • Basics
    • Policy definition: Select the policy you created.
    • Assignment name: A unique name for the assignment.
    • Description: A detailed description of the assignment.
    • Policy enforcement: Enabled.
• In Parameters: Fill out any parameters needed for the policy.
• In Non-compliance message: A message to display when a resource is non-compliant.
• Click on Review + create: Review the assignment and click on Create.

Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

Azure Policy, defintion schema

This is the schema for the Azure Policy definition:

{
    "properties": {
        "displayName": {
            "type": "string",
            "description": "The display name of the policy definition."
        },
        "policyType": {
            "type": "string",
            "description": "The policy type of the policy definition."
        },
        "mode": {
            "type": "string",
            "description": "The mode of the policy definition."
        },
        "description": {
            "type": "string",
            "description": "The description of the policy definition."
        },
        "mode": {
            "type": "string",
            "description": "The mode of the policy definition."
        },
        "metadata": {
            "type": "object",
            "description": "The metadata of the policy definition."
        },
        "parameters": {
            "type": "object",
            "description": "The parameters of the policy definition."
        },
        "policyRule": {
            "type": "object",
            "description": "The policy rule of the policy definition. If/then rule."
        }       

    }
}

You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

Full schema is in Azure Policy definition schema.

Example

Here is an example of a policy definition:

{
    "properties": {
        "displayName": "Require a tag and its value",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy requires a specific tag and its value.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "exists": "false"
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

How you can see, the most important part of the policy definition is the policy rule.

Conclusion

Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

References

• Azure Policy definition schema
• Azure Policy

Writing Your First Initiative with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first initiative in Azure.

Prerequisites

1. An active Azure subscription.
2. Access to Azure portal.
3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

Step 1: Open Azure Policy

• Login to the Azure Portal.
• In the left-hand menu, click on All services.
• In the All services blade, search for Policy.

Step 2: Create a New Initiative Definition

• Click on Defitinions under the Authoring section.
• Click on + Initiative definition.

Step 3: Fill Out the Initiative Definition

You will need to fill out several fields:

• Basics:
• Initiative location: The location where the initiative is stored.
• Name: This is a unique name for your initiative.
• Description: A detailed description of what the initiative does.
• Category: You can categorize your initiative for easier searching and filtering.
• Policies:
• Add policy definition(s): Here you can add the policies that will be part of the initiative.
• Initiative parameters:
• Add parameter: Here you can add parameters that will be used in the initiative.
• Policy parameters:

• Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies.

• Click on Review + create: Review the assignment and click on Create.

Step 4: Assign the Initiative

• Go to Policy again.
• Go to Assignments under the Authoring section.
• Click on + Assign initiative.

You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

• Click on Review + create: Review the assignment and click on Create.

Conclusion

Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

Azure Policy

Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

Azure Policy Overview

Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

Azure Policy helps to address questions like:

• Are all virtual machines encrypted using Azure Disk Encryption?
• Are resources deployed only in certain Azure regions?
• Are specific tags applied to resources for tracking and organization?

Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

Policies

Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

Initiatives

Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

graph TD;
    A[Azure Policy] -->|Contains| B1[Policy 1]
    A[Azure Policy] -->|Contains| B2[Policy 2]
    A[Azure Policy] -->|Contains| B3[Policy 3]
    A[Azure Policy] -->|Contains| B4[Policy 4]
    B1[Policy 1] -->|Belongs to| C[Initiative 1]
    B2[Policy 2] -->|Belongs to| C[Initiative 1]
    B3[Policy 3] -->|Belongs to| D[Initiative 2]


    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;
    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;
    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;

    class A,B1,B2,B3,B4 azurePolicy;
    class C,D initiative;
    class D1,D2,E1,E2 policy;

Initiatives allow you to:

• Apply multiple policies at once to a scope (like a subscription or management group).
• Monitor compliance against a set of defined standards or regulations.
• Streamline governance by organizing policies logically.

By using initiatives, you can efficiently manage and enforce compliance with regulatory standards (e.g., CIS benchmarks, PCI DSS) or organizational best practices.

Assignments

Assignments in Azure Policy are the mechanism to apply policies or initiatives to specific scopes within Azure. You can assign policies to subscriptions, resource groups, or even individual resources. Assignments help in enforcing governance and compliance standards across your Azure environment.

graph TD;
    A[Azure Policy] -->|Contains| B1[Policy 1]
    A[Azure Policy] -->|Contains| B2[Policy 2]
    A[Azure Policy] -->|Contains| B3[Policy 3]
    A[Azure Policy] -->|Contains| B4[Policy 4]
    B1[Policy 1] -->|Belongs to| C[Initiative 1]
    B2[Policy 2] -->|Belongs to| C[Initiative 1]
    B3[Policy 3] -->|Belongs to| D[Initiative 2]
    C[Initiative 1] -->|Assigned to| E[Subscription 1]
    D[Initiative 2] -->|Assigned to| F[Resource Group 1]
    B4[Policy 4] -->|Assigned to| G[Management Group 1]

    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;
    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;
    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;
    classDef assignment fill:#9f9,stroke:#333,stroke-width:2px;

    class A,B1,B2,B3,B4 azurePolicy;
    class C,D initiative;
    class E,F,G assignment;
    class D1,D2,E1,E2 policy;

Conclusion

In conclusion, Azure Policy, policies, and initiatives are fundamental components of Azure's governance framework. They enable organizations to define and enforce rules for Azure resources, ensuring adherence to compliance standards, security protocols, and operational guidelines. By leveraging these capabilities, Azure users can maintain control over their cloud environment while promoting consistency and security across deployments. If you're looking to enhance governance and compliance within Azure, exploring Azure Policy, policies, and initiatives is a crucial step forward.

References

• Azure Policy overview