Skip to main content
HashnodeAn Azure Cloud Lab Journey...

Command Palette

Search for a command to run...

Managing Governance via Azure Policy

Updated
3 min read
A
Amir Rouhanipoor
S
Shirin Soodmand
Part of seriesAZ-104

This lab teaches you how to implement organizational governance using Azure Policy and resource tagging. You'll learn to enforce resource tagging, update existing resources, and use resource locks.

Scenario

Improve Azure resource management by:

  1. Applying resource tags for metadata.

  2. Enforcing resource tags for new resources.

  3. Updating existing resources with tags.

  4. Using resource locks for protection.

Interactive Simulations

Optional simulations:

Architecture Diagram

Diagram of the task architecture.

Task 1: Assign Tags

  1. Sign in to the Azure portal: https://portal.azure.com

  2. Create a resource group (e.g., az104-rg2 in East US).

  3. On the Tags tab, create a tag (e.g., Cost Center: 000).

Screenshot of the policy definition.

Task 2: Enforce Tagging

  1. Navigate to: Policy > Authoring > Definitions > find “Require a tag and its value on resources”

  2. Click "Assign" and select your subscription and resource group.

  3. Configure the assignment:

    Assignment name Require Cost Center tag with Default value

    DescriptionRequire Cost Center tag with default value for all resources in the resource group

    Policy enforcement Enabled

  1. Set parameters (e.g., Tag Name: Cost Center, Tag Value: 000).

  2. Create the assignment.

  3. Try creating a storage account without the tag to verify enforcement. you will get this error message:

    Screenshot of the disallowed policy error.

Task 3: Apply Tagging

  1. Navigate to: Policy > Authoring > Assignments

  2. Delete the previous assignment.

  3. Assign the "Inherit a tag from the resource group if missing" policy.

  4. Configure the assignment:

    Assignment name Inherit the Cost Center tag and its value 000 from the resource group if missing

    Description Inherit the Cost Center tag and its value 000 from the resource group if missing | | Policy enforcement Enabled

  5. Set parameters (e.g., Tag Name: Cost Center).

  6. Enable remediation task.

    Policy to remediate : Inherit a tag from the resource group if missing

  7. Create the assignment.

  8. Create a storage account without the tag to verify automatic tagging.

Screenshot of the policy remediation page.

Task 4: Configure Resource Locks

  1. Navigate to your resource group > Settings > Locks > Add

  2. Create a lock (e.g., rg-lock with delete lock type).

  3. Try deleting the resource group to verify the lock.

    Screenshot of the failure to delete message.

Cleanup

Delete the lab resources to avoid unnecessary costs.

  • Azure portal: Delete the resource group.

  • PowerShell: Remove-AzResourceGroup -Name resourceGroupName

  • CLI: az group delete --name resourceGroupName

Key Takeaways

  • Azure tags are key-value pairs used as metadata for resources.

  • Azure Policy enforces conventions and compliance for resources.

  • Remediation tasks bring non-compliant resources into compliance.

  • Resource locks prevent accidental deletion or modification.

  • Azure Policy is a pre-deployment security practice, while RBAC and resource locks are post-deployment.

17 views

AZ-104

Part 15 of 16
Up next

Managing Subscriptions and RBAC in Azure

This is just a summary. Find the complete lab instructions on GitHub! Scenario Simplify Azure resource management by: Creating a management group for your subscriptions. Granting Help Desk the ability to submit support requests, limited to: Creati...

More from this blog

A

An Azure Cloud Lab Journey...

45 posts