From the course: Securing Azure Infrastructure with Bicep

Policy assignments and scopes - Azure Tutorial

From the course: Securing Azure Infrastructure with Bicep

Start my 1-month free trial Buy for my team

Policy assignments and scopes

- [Instructor] Policy assignments are where your governance rules actually take effects. A policy definition is just a template onto you assign it to a specific scope in your Azure environment. Understanding how to properly assign policies at different scopes is crucial for implementing effective governance without disrupting business operations. Azure's hierarchical scope model gives you precise control over where policies apply. You can assign policies at the management group level to affect entire organizational units at the subscription level to govern specific business areas or at the resource group level for targeted control over specific applications or projects. The scope you choose determines both the reach and the impact of your policy, management's group assignments cascade down through all child subscriptions and resource groups, making them powerful tools for organizational wide governance. Subscription assignments affect everything within that subscription. But leave other subscriptions unaffected, resource group assignments provide surgical precision for specific workloads. Think strategically about scope selection. Broad scopes like management groups are perfect for fundamental security and compliance requirements that should apply everywhere, like requiring encryption or preventing certain resource types. Narrow scopes like resource groups work well for environment specific rules or experimental policies you're testing. Here's how to assign a policy at the subscription level using bicep. This subscription level assignment ensures that every resource created within that subscription must have the specified tags. Here's how to assign a policy at the subscription level using bicep. The subscription level assignments ensures that every resource created within that subscription must have the specified tags. The policy will evaluate all new resources and existing resources during compliance scans. Resource group assignments provide more targeted control. You might use them for development environments that need different rules than production, or for specific applications that have unique compliance requirements. Multiple policy assignments can apply to the same resource, and all applicable policies are evaluated. This means a resource might need to satisfy policies assigned at the management group, subscription, and resource group level simultaneously. Design your policy hierarchy to avoid conflicts between different scopes of assignments. Monitoring policy assignments across scopes is essential for understanding your governance posture. Azure provides compliance dashboards that show policy evaluation results across all your assignments, helping you identify areas where additional governance might be needed, or where existing policies might be too restrictive. Effective policy scope management balances governance needs with operational flexibility, ensuring compliance without creating unnecessary barriers to legitimate business activities.

Contents