3.2.3 Describe the Purpose of Azure Policy

Description of the purpose of Azure Policy.

Azure policy allows you to create, assign and manage policies which control or audit resources.

How does Azure Policy Define Policies?

Allows you to define individual policy or groups or related policies (called initiatives). It evaluates resources to determine if they are compliant with your policy and can also prevent non-compliant resources from being created. Policies can be set on a resource, resource group, subscription and so on. Azure Policies are inherited, so if you set a policy on a resource group then all resources within that group automatically receive the same policy.

Azure Policy comes with built-in policy and initiative definitions for Storage, Networking etc. In certain cases, Azure Policy can remediate non-compliant resources. For example, if there is a policy that says all resources must be tagged "CompanyResource", then Azure Policy can automatically apply the tag if it is missing. If you don't want this, a resource can be marked as an exception.

What are Azure Policy Initiatives?

A way of grouping policies together. For example, it includes a default initiative called "Enable Monitoring in Azure Security Center". This defines the following:

• Monitor Unencrypted SQL Database in Security Center : Monitors for unencrypted SQL databases and servers.

• Monitor OS Vulnerabilities in Security Center : monitors servers which don't satisfy the configured OS vulnerability baseline.

• Monitor Missing Endpoint Protection in Security Center: monitors servers which do not have an installed endpoint protection agent.