Azure Resource Manager Policies

A little while ago, we looked at Azure Resource Manager (ARM) and how important it is for managing “version 2” of Azure. If you don’t know what ARM is, read that article first.
Profile gravatar of Paul Schnackenburg

Paul Schnackenburg

Paul Schnackenburg works part time as an IT teacher as well as running his own business in Australia. He has MCSE, MCT, MCTS and MCITP certifications. Follow his blog TellITasITis.
Profile gravatar of Paul Schnackenburg

What’s been lacking in Azure up until now has been a comprehensive framework for IT to be able to add governance to the business’s cloud deployments, compounding the shadow IT problem. In early October, 2015, Azure added Azure Resource Manager Policies to control what can be deployed to Azure and by whom, and where it can be hosted.

Marrying ARM, policies, and RBAC ^

Policies use a default allow system, meaning that if you haven’t explicitly denied something it’ll be permitted. This is in contrast to Azure Roles-Based Access Control (RBAC), which uses default deny. A policy can be scoped to a whole subscription, a Resource Group (RG), or an individual resource in an RG, which is exactly the same as RBAC permission scopes.

To give an analogy, you can set NTFS permissions on the root of a drive. Doing so will apply to all folders on that drive (unless you exempt them). Alternatively, you can set the permissions on a folder, which will apply to all the files (objects) in that folder. Or you could assign permission to an individual file. And, just like in the NTFS example, in most cases you’ll probably set some overall policies for the entire subscription and then set some policies on RGs; however, you’ll rarely set policies on individual objects.

Policies are defined in Java Script Object Notation (JSON) just like ARM templates. First, you define one or more conditions, and you can use Not, And (expressed as allOf), or Or (anyOf) to combine these conditions. The conditions can be defined with Equals, Like, Contains, In, and ContainsKey. Fields to build your conditions with are Name, Kind, Type, Location, Tags, Tags.*. The effect field can be set to either Deny or Audit; the latter isn’t mentioned in the official documentation—only in an Azure Con 2015 September presentation.

Here’s an example of how you can limit deployments to Australia only:

ARM policies are initially aimed at the following governance scenarios: requiring that a cost center tag is attached to any new deployments, limiting deployments to specific regions, limiting what resources can be deployed, and enforcing a naming convention.

No GUI at this time ^

Like so many new features in Azure, this one comes with two ways to interact with it: using the API or using PowerShell. Since I’m allergic to REST APIs, I’ll show you how to create a policy using PowerShell. Start by downloading the latest version of Azure PowerShell. I used the latest 1.0 preview.

Log in to your subscription with Add-AzureAccount. If you have several subscriptions, use Set-AzureSubscription –SubscriptionID <GUID> to set the correct one. The cmdlets are
-AzureRmPolicyDefinition with the New, Get, Set, and Remove verbs and are applied with the ‑AzureRMPolicyAssignment cmdlet.

First, we create a policy definition with:

Creating an ARM policy definition

Creating an ARM policy definition

Unlike what the official documentation says, I then had to run the following to capture the new policy in a variable:

Then, we apply our new policy to a subscription (in my case, you could apply this to a particular RG or resource) with:

Applying a policy to a subscription

Applying a policy to a subscription

That’s all there is to it. This is a simple policy that gives the expected “forbidden” result when I try to create a VM in the East US region.

Attempting deployment of a VM in East US fails

Attempting deployment of a VM in East US fails

Conclusion ^

ARM policies are certainly the next logical step in Azure governance, and they cover the most logical restrictions most businesses will want to implement. But, as with most things in Azure, I really miss a GUI to create them. If I want to limit what types of resources people can create, it would be preferable to pick them from a list in a GUI instead of having to add them in text in PowerShell. Just like with ARM templates, I suspect that support for ARM policies will be added to Visual Studio, and that’s where you can build with a more visual approach.

Take part in our competition and win $100!

Related Posts

  1. avatar
    Aivendil 1 year ago


    I appreciate your articles about Microsoft Azure Cloud. I have a question I am struggling to find the answer for and hope that you can help or at least guide me.

    I am helping to build an Azure environment and the client wants to have several separate VNETs in one region. They have ExpressRoute connection to their onpremise network. What they want is to have:
    - two VNETs connected to the ExpressRoute directly
    - same two VNETS connected to each other (I know that they can communicate with each other as long as they are linked to the same ExpressRoute circuit, but how would the traffic flow? Will it be counted as ER traffic or shall it flow through Azure backbone as if I had a VNET-to-VNET connection?)
    - two other VNETs should only be connected to the first ones and not to the ER circuit itslef

    This raises a problem, because I cannot create a VNET-to-VNET connection on the same Virtual Network Gateway that I use for ExpressRoute.

    So the questions are:
    - Can I have more than one Virtual Network Gateway for one VNET? (PowerShell commands I use throw an error that I can't but I was not able to find this limitation anywhere)
    - Is the traffic between two VNETs connected to the same ExpressRoute circuit counted as VNET-to-VNET or as an ER traffic?
    - How this is usually done? I can't believe that I am the first person trying to have several VNETs only some of which are linked to ExpressRoute circuit, but all of which are connected between each other! Still I cannot find any guidelines on how to build this!

    Can you help me with any of these questions or at least suggest where to dig?

  2. Profile gravatar of Paul Schnackenburg Author
    Paul Schnackenburg 1 year ago

    Hi Aivendil,

    Thanks for your questions, sorry about the delay in answering (holidays and all that).

    I don't think I can answer all of these. My favourite place to find the details on this sort of stuff in Azure documentation. There are a couple of places I would suggest:
    You could also ask on that blog - perhaps they'd know more.
    According to this page,, the following applies:
    You can link up to 10 virtual networks to an ExpressRoute circuit.
    You can authorize up to 10 other Azure subscriptions to use a single ExpressRoute circuit. This limit can be increased by enabling the ExpressRoute premium feature.
    Virtual machines deployed in virtual networks connected to the same ExpressRoute circuit can communicate with each other.

    None of that really answers your questions though. I suspect that you should be able to build a vnet.xml (can be exported from the Azure console) file with all the right configurations and then import that. Have you tried that?

    Hope that helps a little bit 🙂

  3. Profile gravatar of Rustem Gumbeev
    Rustem Gumbeev 1 year ago

    Will try searching that blog for useful info.

    As for manually edditing the xml file - I thought that this was only possible in the Classic model. Can I do that in ARM?

    • Profile gravatar of Paul Schnackenburg Author
      Paul Schnackenburg 1 year ago

      Hi again,

      You are right - it's no longer possible to edit the network configuration file using Resource Manager. I had it in my mind that you still could but no go. I learn something new every day - thanks 🙂

  4. Profile gravatar of Rustem Gumbeev
    Rustem Gumbeev 1 year ago

    Just to confirm - Aivendil is me. I registered on 4sysops to make followup easier and also since I found a lot of interesting stuff here and decided to visit it more often:)


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017
Do NOT follow this link or you will be banned from the site!

Log in with your credentials


Forgot your details?

Create Account