Skip to content

Blog

Azure Policy Management Best Practices

  1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

  2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

  3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

  4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

  5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

  6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

  7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

  8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

  9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

  10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

  11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

Enterprise Azure Policy as Code (EPAC)

Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

Key Features of EPAC

  • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
  • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
  • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
  • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

Who Should Use EPAC?

EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

How Does EPAC Work?

EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

Alt text

The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

  1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

  2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

  3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

  4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
  5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

Warning

EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

Conclusion

EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

References

Manage Azure Policy GitHub Action

It's recommended to review:

Overview

The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

Info

This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

Key Features

  1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

  2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

  3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

    |- policies/
       |- <policy1_name>/
          |- policy.json
          |- assign.<name1>.json
          |- assign.<name2>.json
          ...
       |- <policy2_name>/
          |- policy.json
          |- assign.<name1>.json
          |- assign.<name2>.json
          ...
    
    • Each policy resides in a subfolder under the policies/ directory.
    • The policy.json file contains the policy definition.
    • Assignment files (e.g., assign.<name1>.json) specify how the policy is applied.
  4. Inputs for the Action:

    • Paths: Specify the mandatory path(s) to the directory containing your Azure policy files.

Sample Workflow

Here's an example of how you can apply policies at the Management Group scope using the Manage Azure Policy action:

name: 'Test Policy'
on:
  push:
    branches: 
    - "*" 
    paths: 
     - 'policies/**'
     - 'initiatives/**'
  workflow_dispatch:

jobs:
  apply-azure-policy:    
    runs-on: ubuntu-latest
    steps:
    # Azure Login
    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}
        allow-no-subscriptions: true

    - name: Checkout
      uses: actions/checkout@v2 

    - name: Create or Update Azure Policies
      uses: azure/manage-azure-policy@v0
      with:      
        paths:  |                
          policies/**
          initiatives/**
        assignments:  |
          assign.*_testRG_*.json

Remember to replace the placeholder values (such as secrets.AZURE_CREDENTIALS) with your actual configuration, you can follow this instructions to create a service principal and get the credentials: Create a service principal and get the credentials

Example of use for Policy

In this example we define all our policies and initiatives at management group level and assign to resource group, and we have a policy that requires a specific tag and its value.

You need to create a folder structure like this:

|- policies/
   |- require-tag-and-its-value/
      |- policy.json
      |- assign.testRG_testazurepolicy.json
|- initiatives/
   |- initiative1/
      |- policyset.json
      |- assign.testRG_testazurepolicy.json

policies

Info

  • The policy.json file contains the policy definition, and the assign.<name>.json file specifies how the policy is applied.
policy.json

Info

  • The id value specifies where you are going to define the policy.
policy.json
{
    "id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value",
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "requite-tag-and-its-value",
    "properties": {
        "displayName": "Require a tag and its value",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy requires a specific tag and its value.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        }
        },
        "policyRule": {
            "if": {
                "not": {
                    "field": "[concat('tags[', parameters('tagName'), ']')]",
                    "equals": "[parameters('tagValue')]"
                    }
                },
            "then": {
                "effect": "deny"
            }
        }
    }
assign.testRG_testazurepolicy.json

Info

  • Change the id and scope values in the assign.<name>.json file to match your Azure subscription and resource group.
  • id specifies where you are going to deploy the assignment.
  • id and name are related, name can not be any value, it should be the same as the last part of the id. You can generete a new GUID and use it as name with (1..24 | %{ '{0:x}' -f (Get-Random -Max 16) }) -join ''
  • name and id are related.
  • The policyDefinitionId value should match the id value in the policy.json file.
assign.testRG_testazurepolicy.json
{
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy/providers/Microsoft.Authorization/policyAssignments/599a2c3a1a3b1f8b8e547b3e",
    "type": "Microsoft.Authorization/policyAssignments",
    "name": "599a2c3a1a3b1f8b8e547b3e",     
    "properties": {
        "description": "This policy audits the presence of a specific tag and its value.",
        "displayName": "Require a tag and its value",
        "parameters": {
            "tagName": {
              "value": "environment"
            },
            "tagValue": {
              "value": "production"
            }
          },
          "nonComplianceMessages": [
            {
              "message": "This resource is not compliant with the policy. Please apply the required tag and its value."
            }
          ],
          "enforcementMode": "Default",
          "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value",
          "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy"
    }    
}

initiatives

Info

  • The policyset.json file contains the policy definition, and the assign.<name>.json file specifies how the initiative is applied.
policyset.json

Info

  • The id value specifies where you are going to define the initiative.
  • The policyDefinitions array contains the policy definitions that are part of the initiative.
  • The parameters object defines the parameters that can be passed to the policies within the initiative.
  • The policyDefinitionId value should match the id value in the policy.json file of the policy.
policyset.json
{
    "id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/initiative1",
    "type": "Microsoft.Authorization/policySetDefinitions",
    "name": "initiative1",
    "properties": {
        "displayName": "Initiative 1",
        "description": "This initiative contains a set of policies for testing.",
        "metadata": {
            "category": "Test"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyDefinitions": [
            {
                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value",
                "parameters": {
                    "tagName": {
                        "value": "[parameters('tagName')]"
                    },
                    "tagValue": {
                        "value": "[parameters('tagValue')]"
                    },
                    "effect": {
                        "value": "Deny"
                    }
                }
            }
        ]
    }
}
assign.testRG_testazurepolicyset.json
assign.testRG_testazurepolicyset.json
{
    "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy/providers/Microsoft.Authorization/policyAssignments/ada0f4a34b09cf6ad704cc62",
    "type": "Microsoft.Authorization/policyAssignments",
    "name": "ada0f4a34b09cf6ad704cc62",     
    "properties": {
        "description": "This initiative audits the presence of a specific tag and its value.",
        "displayName": "Require a tag and its value",
        "parameters": {
            "tagName": {
              "value": "environment"
            },
            "tagValue": {
              "value": "production"
            }
          },
          "nonComplianceMessages": [
            {
              "message": "This resource is not compliant with the policy. Please apply the required tag and its value."
            }
          ],
          "enforcementMode": "Default",
          "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/requite-tag-and-its-value",
          "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy"
    }    
}

Conclusion

By incorporating the Manage Azure Policy action into your GitHub workflows, you can seamlessly enforce policies, maintain compliance, and ensure the robustness of your Azure resources, although it has its drawbacks, it is one more step compared to a portal. Later we will see the deployment with a more robust tool: EPAC

Learn more about Azure Policies and explore the action on the GitHub Marketplace.

Writing Your First Policy in Azure with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first policy in Azure.

Prerequisites

  1. An active Azure subscription.
  2. Access to Azure portal.

Step 1: Open Azure Policy

  • Login to the Azure Portal.
  • In the left-hand menu, click on All services.
  • In the All services blade, search for Policy.

Step 2: Create a New Policy Definition

  • Click on Definitions under the Authoring section.
  • Click on + Policy definition.

Step 3: Fill Out the Policy Definition

You will need to fill out several fields:

  • Definition location: The location where the policy is stored.
  • Name: This is a unique name for your policy.
  • Description: A detailed description of what the policy does.
  • Category: You can categorize your policy for easier searching and filtering.

The most important part of the policy definition is the policy rule itself. The policy rule is where you describe the logic that enforces the policy.

Here's an example of a simple policy rule that ensures all indexed resources have tags and deny creation or update if they do not.

{
    "properties": {
        "displayName": "Require a tag and its value",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy requires a specific tag and its value.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        },
        "policyRule": {
            "if": {
                "not": {
                    "field": "[concat('tags[', parameters('tagName'), ']')]",
                    "equals": "[parameters('tagValue')]"
                    }
                },
            "then": {
                "effect": "deny"
            }
        }
    }

But, in portal, you can add properties directly in the form but you can't add displayName, policyType and metadata because they are added by portal itself, so you can add only mode,parameters and policyRule, Policy definition could be like this:

  • Definition location: Tenant Root Group
  • Name: Require a tag and its value
  • Description: This policy requires a specific tag and its value.
  • Category: Tags
  • POLICY RULE:
{

        "mode": "Indexed", 
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "not": {
                    "field": "[concat('tags[', parameters('tagName'), ']')]",
                    "equals": "[parameters('tagValue')]"
                    }
                },
            "then": {
                "effect": "deny"
            }
        }
}

Once you've filled out all the fields and written your policy rule, click on Save.

Step 4: Assign the Policy

  • Go back to the Policy service in the Azure portal.
  • Click on Assignments under the Authoring section.
  • Click on + Assign Policy.
  • In Basics, fill out the following fields:
    • Scope
      • Scope: Select the scope where you want to assign the policy.
      • Exclusions: Add any exclusions if needed.
    • Basics
      • Policy definition: Select the policy you created.
      • Assignment name: A unique name for the assignment.
      • Description: A detailed description of the assignment.
      • Policy enforcement: Enabled.
  • In Parameters: Fill out any parameters needed for the policy.
  • In Non-compliance message: A message to display when a resource is non-compliant.
  • Click on Review + create: Review the assignment and click on Create.

Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

Azure Policy, defintion schema

This is the schema for the Azure Policy definition:

{
    "properties": {
        "displayName": {
            "type": "string",
            "description": "The display name of the policy definition."
        },
        "policyType": {
            "type": "string",
            "description": "The policy type of the policy definition."
        },
        "mode": {
            "type": "string",
            "description": "The mode of the policy definition."
        },
        "description": {
            "type": "string",
            "description": "The description of the policy definition."
        },
        "mode": {
            "type": "string",
            "description": "The mode of the policy definition."
        },
        "metadata": {
            "type": "object",
            "description": "The metadata of the policy definition."
        },
        "parameters": {
            "type": "object",
            "description": "The parameters of the policy definition."
        },
        "policyRule": {
            "type": "object",
            "description": "The policy rule of the policy definition. If/then rule."
        }       

    }
}

You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

Full schema is in Azure Policy definition schema.

Example

Here is an example of a policy definition:

{
    "properties": {
        "displayName": "Require a tag and its value",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy requires a specific tag and its value.",
        "metadata": {
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "exists": "false"
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

How you can see, the most important part of the policy definition is the policy rule.

Note

The policy rule is where you describe the logic that enforces the policy.

Conclusion

Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

References

Writing Your First Initiative with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first initiative in Azure.

Info

You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

Prerequisites

  1. An active Azure subscription.
  2. Access to Azure portal.
  3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

Step 1: Open Azure Policy

  • Login to the Azure Portal.
  • In the left-hand menu, click on All services.
  • In the All services blade, search for Policy.

Step 2: Create a New Initiative Definition

  • Click on Defitinions under the Authoring section.
  • Click on + Initiative definition.

Step 3: Fill Out the Initiative Definition

You will need to fill out several fields:

  • Basics:
  • Initiative location: The location where the initiative is stored.
  • Name: This is a unique name for your initiative.
  • Description: A detailed description of what the initiative does.
  • Category: You can categorize your initiative for easier searching and filtering.
  • Policies:
  • Add policy definition(s): Here you can add the policies that will be part of the initiative.
  • Initiative parameters:
  • Add parameter: Here you can add parameters that will be used in the initiative. Initiative parameters
  • Policy parameters:
  • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies. Policy parameters

  • Click on Review + create: Review the assignment and click on Create.

Step 4: Assign the Initiative

  • Go to Policy again.
  • Go to Assignments under the Authoring section.
  • Click on + Assign initiative.

You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

  • Click on Review + create: Review the assignment and click on Create.

Conclusion

Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

Azure Policy

Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

Azure Policy Overview

Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

Azure Policy helps to address questions like:

  • Are all virtual machines encrypted using Azure Disk Encryption?
  • Are resources deployed only in certain Azure regions?
  • Are specific tags applied to resources for tracking and organization?

Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

Info

It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

Policies

Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

Initiatives

Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

graph TD;
    A[Azure Policy] -->|Contains| B1[Policy 1]
    A[Azure Policy] -->|Contains| B2[Policy 2]
    A[Azure Policy] -->|Contains| B3[Policy 3]
    A[Azure Policy] -->|Contains| B4[Policy 4]
    B1[Policy 1] -->|Belongs to| C[Initiative 1]
    B2[Policy 2] -->|Belongs to| C[Initiative 1]
    B3[Policy 3] -->|Belongs to| D[Initiative 2]


    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;
    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;
    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;

    class A,B1,B2,B3,B4 azurePolicy;
    class C,D initiative;
    class D1,D2,E1,E2 policy;

Initiatives allow you to:

  • Apply multiple policies at once to a scope (like a subscription or management group).
  • Monitor compliance against a set of defined standards or regulations.
  • Streamline governance by organizing policies logically.

By using initiatives, you can efficiently manage and enforce compliance with regulatory standards (e.g., CIS benchmarks, PCI DSS) or organizational best practices.

Assignments

Assignments in Azure Policy are the mechanism to apply policies or initiatives to specific scopes within Azure. You can assign policies to subscriptions, resource groups, or even individual resources. Assignments help in enforcing governance and compliance standards across your Azure environment.

graph TD;
    A[Azure Policy] -->|Contains| B1[Policy 1]
    A[Azure Policy] -->|Contains| B2[Policy 2]
    A[Azure Policy] -->|Contains| B3[Policy 3]
    A[Azure Policy] -->|Contains| B4[Policy 4]
    B1[Policy 1] -->|Belongs to| C[Initiative 1]
    B2[Policy 2] -->|Belongs to| C[Initiative 1]
    B3[Policy 3] -->|Belongs to| D[Initiative 2]
    C[Initiative 1] -->|Assigned to| E[Subscription 1]
    D[Initiative 2] -->|Assigned to| F[Resource Group 1]
    B4[Policy 4] -->|Assigned to| G[Management Group 1]

    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;
    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;
    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;
    classDef assignment fill:#9f9,stroke:#333,stroke-width:2px;

    class A,B1,B2,B3,B4 azurePolicy;
    class C,D initiative;
    class E,F,G assignment;
    class D1,D2,E1,E2 policy;

Conclusion

In conclusion, Azure Policy, policies, and initiatives are fundamental components of Azure's governance framework. They enable organizations to define and enforce rules for Azure resources, ensuring adherence to compliance standards, security protocols, and operational guidelines. By leveraging these capabilities, Azure users can maintain control over their cloud environment while promoting consistency and security across deployments. If you're looking to enhance governance and compliance within Azure, exploring Azure Policy, policies, and initiatives is a crucial step forward.

References

Depurar logs de OneDrive para detectar problemas de sincronización

Necesitas WSL2

Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

Introducción

Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

Fix OneDrive sync problems

Pero si no funciona, se puede obtener más información de los logs de OneDrive.

Pasos a seguir

1. Acceder a los logs de OneDrive

Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

  1. Abrir el Explorador de archivos.
  2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
  3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
%localappdata%\Microsoft\OneDrive\logs\Business1
%localappdata%\Microsoft\OneDrive\logs\Personal

Ahora es necesario seleccionar los archivos de log más recientes y copiarlos a un directorio, los archivos pueden tener extensión .odl,.odlgz, .odlsent o .aold, también se debe incluir el fichero ObfuscationStringMap.txt o general.keystore.

2. Instalar el visor de logs de OneDrive

Para instalar el visor de logs de OneDrive, se debe seguir los siguientes pasos:

Descarga https://raw.githubusercontent.com/ydkhatri/OneDrive/main/odl.py y ejecuta el siguiente comando:

pip3 install pycryptodome
pip3 install construct
python odl.py -o <ruta de salida>/fichero.csv <ruta de los logs>

Por ejemplo:

python3 odl.py -o output/fichero.csv input/
WARNING: Multiple instances of some keys were found in the ObfuscationMap.
Read 40493 items from map
Recovered Unobfuscation key Churreradenumneros, version=1, utf_type=utf16
Searching  /mnt/c/Users/userdemo/Escritorio/input/SyncEngine-2023-09-04.0637.32.2.odl
Wrote 821 rows
Searching  /mnt/c/Users/userdemo/Escritorio/input/FileCoAuth-2023-09-03.0804.13536.1.odlgz
Wrote 203 rows
Searching  /mnt/c/Users/userdemo/Escritorio/input/FileCoAuth-2023-09-03.0804.14112.1.odlgz
.......
............
...............
Wrote 872 rows
Finished processing files, output is at output/fichero.csv
userdemo@DESKTOP:/mnt/c/Users/userdemo/Escritorio$

3. Analizar los logs

Una vez que se ha generado el fichero CSV, se puede abrir con Excel o cualquier editor de texto para analizar los logs y detectar problemas de sincronización, busca error o warn para averiguar que puede estar provocando el problema.

Solución

En mi caso, tras poder leer los logs de OneDrive, he descubierto que OneDrive no podía escribir varios ficheros en disco, luego recordé que el otro día mi equipo no se apagó bien.

Tras un chkdsk c: /F /R, fin de la historia, ahora todo funciona, espero que le resulte útil a alguien.

Referencias

  • https://github.com/ydkhatri/OneDrive/tree/main

Instalar WSL2 en Windows 11 con chocolatey

Introducción

Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

Pasos a seguir

1. Instalar Chocolatey

Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para instalar Chocolatey:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
  1. Espere a que se complete la instalación de Chocolatey.

2. Instalar WSL2

Para instalar WSL2 en Windows 11, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para instalar WSL2:

choco install wsl2
3. Espere a que se complete la instalación de WSL2.

3. Configurar WSL2

Para configurar WSL2 en Windows 11, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para configurar WSL2 como la versión predeterminada:

wsl --set-default-version 2
  1. Reinicie su computadora para aplicar los cambios.

4. Instalar una distribución de Linux

Para instalar una distribución de Linux en WSL2, siga los siguientes pasos:

  1. Abra PowerShell.

  2. Busque la distribución de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

wsl --list --online
  1. Ejecute el siguiente comando para instalar la distribución de Linux seleccionada:
wsl --install -d <nombre de la distribución>
  1. Espere a que se complete la instalación de la distribución de Linux.

5. Iniciar WSL2

Para iniciar WSL2 en Windows 11, siga los siguientes pasos:

  1. Abra PowerShell.

  2. Ejecute el siguiente comando para iniciar la distribución de Linux instalada:

wsl

Referencias

Azure Functions

Introduction

Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

Service Overview

Azure Functions allows developers to run small pieces of code (called "functions") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

Architecture and Components

Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

Deployment and Configuration

Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

Scalability and Performance

Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

Security and Compliance

Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

Monitoring and Logging

Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

Use Cases and Examples

Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

Best Practices and Tips

When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

Conclusion

Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.