Configure Azure Policy

Question 1

Create management groups

Answer 1

Organizations that use multiple subscriptions need a way to efficiently manage access, policies, and compliance. Azure management groups provide a level of scope and control above your subscriptions. You can use management groups as containers to manage access, policy, and compliance across your subscriptions.

Question 2

Consider the following characteristics of Azure management groups:

Answer 2

By default, all new subscriptions are placed under the top-level management group, or root group.

All subscriptions within a management group automatically inherit the conditions applied to that management group.

A management group tree can support up to six levels of depth.

Azure role-based access control authorization for management group operations isn’t enabled by default.

Question 3

Consider custom hierarchies and groups

Answer 3

Align your Azure subscriptions by using custom hierarchies and grouping that meet your company’s organizational structure and business scenarios. You can use management groups to target policies and spending budgets across subscriptions.

Question 4

Consider policy inheritance.

Answer 4

Control the hierarchical inheritance of access and privileges in policy definitions. All subscriptions within a management group inherit the conditions applied to the management group. You can apply policies to a management group to limit the regions available for creating virtual machines (VMs). The policy can be applied to all management groups, subscriptions, and resources under the initial management group, to ensure VMs are created only in the specified regions.

Question 5

Consider compliance rules

Answer 5

Organize your subscriptions into management groups to help meet compliance rules for individual departments and teams.

Question 6

Consider cost reporting.

Answer 6

Use management groups to do cost reporting by department or for specific business scenarios. You can use management groups to report on budget details across subscriptions.

Question 7

Create management groups

Answer 7

You can create a management group with Azure Policy by using the Azure portal, PowerShell, or the Azure CLI
A management group has a directory unique identifier (ID) and a display name. The ID is used to submit commands on the management group. The ID value can’t be changed after it’s created because it’s used throughout the Azure system to identify the management group. The display name for the management group is optional and can be changed at any time.

Question 8

Azure Policy Enforce rules and compliance

Answer 8

Enable built-in policies, or build custom policies for all resource types. Support real-time policy evaluation and enforcement, and periodic or on-demand compliance evaluation.

Question 9

Azure Policy Apply policies at scale

Answer 9

Apply policies to a management group with control across your entire organization. Apply multiple policies and aggregate policy states with policy initiative. Define an exclusion scope.

Question 10

Azure Policy Perform remediation

Answer 10

Conduct real-time remediation, and remediation on your existing resources.

Question 11

Azure Policy Exercise governance

Answer 11

Implement governance tasks for your environment:
- Support multiple engineering teams (deploying to and operating in the environment)
- Manage multiple subscriptions
- Standardize and enforce how cloud resources are configured
- Manage regulatory compliance, cost control, security, and design consistency

Question 12

Consider deployable resources

Answer 12

Specify the resource types that your organization can deploy by using Azure Policy. You can specify the set of virtual machine SKUs that your organization can deploy.

Question 13

Consider location restrictions

Answer 13

Restrict the locations your users can specify when deploying resources. You can choose the geographic locations or regions that are available to your organization.

Question 14

Consider rules enforcement

Answer 14

Enforce compliance rules and configuration options to help manage your resources and user options. You can enforce a required tag on resources and define the allowed values.

Question 15

Consider inventory audits

Answer 15

Use Azure Policy with Azure Backup service on your VMs and run inventory audits.

Question 16

Create Azure policies

Answer 16

Azure Administrators use Azure Policy to create policies that define conventions for resources. A policy definition describes the compliance conditions for a resource, and the actions to complete when the conditions are met. One or more policy definitions are grouped into an initiative definition, to control the scope of your policies and evaluate the compliance of your resources.

Question 17

Step 1: Create policy definitions

Answer 17

A policy definition expresses a condition to evaluate and the actions to perform when the condition is met. You can create your own policy definitions, or choose from built-in definitions in Azure Policy. You can create a policy definition to prevent VMs in your organization from being deployed, if they’re exposed to a public IP address.

Question 18

Step 2: Create an initiative definition

Answer 18

An initiative definition is a set of policy definitions that help you track your resource compliance state to meet a larger goal. You can create your own initiative definitions, or use built-in definitions in Azure Policy. You can use an initiative definition to ensure resources are compliant with security regulations.

Question 19

Step 3: Scope the initiative definition

Answer 19

Azure Policy lets you control how your initiative definitions are applied to resources in your organization. You can limit the scope of an initiative definition to specific management groups, subscriptions, or resource groups.

Question 20

Step 4: Determine compliance

Answer 20

After you assign an initiative definition, you can evaluate the state of compliance for all your resources. Individual resources, resource groups, and subscriptions within a scope can be exempted from having the policy rules affect it. Exclusions are handled individually for each assignment.

Question 21

Create policy definitions

Answer 21

Azure Policy offers built-in policy definitions to help you quickly configure control conditions for your resources. In addition to the built-in policies, you can also create your own definitions, or import definitions from other sources.

Question 22

built-in policy definitions Allowed virtual machine size SKUs

Answer 22

Specify a set of VM size SKUs that your organization can deploy. This policy is located under the Compute category.

Question 23

built-in policy definitions Allowed locations

Answer 23

Restrict the locations users can specify when deploying resources. Use this policy to enforce your geo-compliance requirements. This policy is located under the General category.

Question 24

built-in policy definitions Configure Azure Device Update for IoT Hub accounts to disable public network access

Answer 24

Disable public network access for your Device Update for IoT Hub resources. This policy is located under the Internet of Things category.

Question 25

Create an initiative definition

Answer 25

After you determine your policy definitions, the next step is to create an initiative definition for your policies. An initiative definition has one or more policy definitions. One example for using initiative definitions is to ensure your resources are compliant with security regulations.
Tip
Even if you have only a few policy definitions in your organization, we recommend creating and applying an initiative definition.

Question 26

built-in initiative definitions: Audit machines with insecure password security settings

Answer 26

Use this initiative to deploy an audit policy to specified resources in your organization. The definition evaluates the resources to check for insecure password security settings. This initiative is located in the Guest Configuration category.

Question 27

built-in initiative definitions: Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule

Answer 27

Use this initiative to monitor and secure your Windows VMs, Virtual Machine Scale Sets, and Arc machines. The definition deploys the Azure Monitor Agent extension and associates the resources with a specified Data Collection Rule. This initiative is located in the Monitoring category.

Question 28

built-in initiative definitions: Configure Azure Defender to be enabled on SQL servers

Answer 28

Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. This initiative is located in the SQL category.

Question 29

Scope the initiative definition

Answer 29

After you create your initiative definition, the next step is to assign the initiative to establish the scope for the policies. The scope determines what resources or grouping of resources are affected by the conditions of the policies.

Question 30

Determine compliance

Answer 30

You have your policies defined, your initiative definition created, and your policies assigned to affected resources. The last step is to evaluate the state of compliance for your scoped resources.