Welcome to this lab
This lab will guide you through the creation and management of Azure Policies and Assignments using Azure DevOps
The goal of this Lab is to put focus on how to create and deploy Azure Policies and assignments using ARM Templates, Azure DevOps Repos or Github and Azure DevOps Pipelines.
However, this Lab will not explain the required DevOps toolset, so in order to succeed with this lab you need to know how to work with:
- ARM Templates
- Azure Repos / Github
- Azure Pipelines (Classic and YAML)
The Azure Az PowerShell module will be needed.
# Install Module Azure Az
Register-PSRepository -Default
Install-Module Az -ForceYou will need Git to work with your Github / Azure Repo. You can install Git at https://git-scm.com/downloads
You will need a IDE to let you work with an Azure DevOps or GitHub Repository and ARM Templates. We recommend that you use Visual Studio Code for this lab with at least the following extensions installed:
You can use a pre-provisioned environment for this lab in Cloud Labs.
This environment will provision for you:
- An Azure DevOps Organization
- An Azure Subscription
- An Azure Resource Group
- An AAD User with Owner permissions assigned to the Resource Group and permissions to work with Policies at subscription level
- An AAD Service Principal with Owner permissions assigned to the Resource Group and permissions to work with Policies at subscription level.
Once provisioned, make sure that follow these steps:
- Create an Azure DevOps Project inside the provided Organization, it can created following this steps.
- Configure to add the provisioned Service Principal to the Azure DevOps project as a Azure RM Service Connection.
With this configuration ready, you can use Visual Studio Code to clone your Github repository or the DevOps Repo in this project and start the lab.
If you want to do this lab in your own environment instead of the Pre-provisioned environment, you need to configure the prerequisites listed below:
You will write and version your ARM Templates using a Git Repo. We recommend the following options for using as Git repository:
- Option 1 - Azure DevOps Repos: See how to get your free Azure DevOps Project here
- Option 2 - GitHub repos: see how to get your Github account.
See how to clone your Repo with Visual Studio Code
You will configure CD and CI using Azure Pipelines. You will need an Azure DevOps Project here in order to use Pipelines.
You can use both Azure Repos and Github with your Pipelines
You wil use a Service Principal connected to your Azure DevOps pipelines that will allow you to deploy resources to Azure.
If you have your own Azure Subscription, you can let Azure DevOps create one Service Principal for you.
If you don't have access to your own subscription, you can use the following Service Principal:
Subscription ID : 67e1610d-40e5-4d22-9346-f860a28825d7
Application (client) ID : e1aae0bd-8491-4262-a237-5fddd2dbc7e2
Directory (tenant) ID : 72f988bf-86f1-41af-91ab-2d7cd011db47
Password : xlBI/mVq7MH8A7jQU3QTPb ffbbLZS]-
Custom Policies and Initiatives are defined at Subscription level, so for this lab you will need to have access to one Azure Subscription.
If you don't have one, we will grant you access to our Azure Policies Lab subscription
In this subscription:
Your Deployment Service Principal needs to have at least the following permissions:
| Action | Description |
|---|---|
| */read | Read resources of all types, except secrets |
| Microsoft.Authorization/policyassignments/* | Create and manage policy assignments |
| Microsoft.Authorization/policydefinitions/* | Create and manage policy definitions |
| Microsoft.Authorization/policysetdefinitions/* | Create and manage policy sets |
| Microsoft.PolicyInsights/* | Work with compliance information |
| Microsoft.Resources/checkPolicyCompliance/* | Check the compliance status of a given resource against resource policies |
| Microsoft.Resources/deployments/* | Manage Deployments at Subscription level |
| Microsoft.Resources/subscriptions/resourcegroups/* | Manage Deployments at Resource Group level |
| Microsoft.KeyVault/* | Work with Key Vaults |
| Microsoft.Compute/* | Work with Virtual Machines |
| Microsoft.Storage/* | Work with Storage Accounts |
| Microsoft.Network/* | Work with Virtual Networks |
Your user needs to have at least the following permissions:
| Action | Description |
|---|---|
| */read | Read resources of all types, except secrets. |
| Microsoft.Authorization/policyassignments/* | Create and manage policy assignments |
| Microsoft.Authorization/policydefinitions/* | Create and manage policy definitions |
| Microsoft.Authorization/policysetdefinitions/* | Create and manage policy sets |
| Microsoft.PolicyInsights/* | Work with compliance information |
| Microsoft.Resources/checkPolicyCompliance/* | Check the compliance status of a given resource against resource policies |
| Microsoft.Resources/deployments/* | Manage Deployments at Subscription level |
| Microsoft.Resources/subscriptions/resourcegroups/* | Manage Deployments at Resource Group level |
| Microsoft.Storage/* | Work with Storage Accounts |
Register the Azure Policy Insights resource provider using Azure PowerShell to validate that your subscription works with the resource provider. To register a resource provider, you must have permission to run the register action operation for the resource provider. This operation is included in the Contributor and Owner roles.
Run the following command to register the resource provider:
Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'