Merge pull request #87226 from DCtheGeek/dmc-policy-enforcement

Adding enforcementMode details

Author: ktoliver

articles/governance/policy/concepts/assignment-structure.md

@@ -0,0 +1,112 @@
+---
+title: Details of the policy assignment structure
+description: Describes the policy assignment definition used by Azure Policy to relate policy definitions and parameters to resources for evaluation.
+author: DCtheGeek
+ms.author: dacoulte
+ms.date: 09/23/2019
+ms.topic: conceptual
+ms.service: azure-policy
+manager: carmonm
+---
+# Azure Policy assignment structure
+
+Policy assignments are used by Azure Policy to define which resources are assigned while policies or
+initiatives. The policy assignment can determine the values of parameters for that group of
+resources at assignment time, making it possible to reuse policy definitions that address the same
+resource properties with different needs for compliance.
+
+The schema used by Azure Policy can be found here: [https://docs.microsoft.com/azure/templates/microsoft.authorization/2019-01-01/policyassignments](/azure/templates/microsoft.authorization/2019-01-01/policyassignments)
+
+You use JSON to create a policy assignment. The policy definition contains elements for:
+
+- display name
+- description
+- metadata
+- enforcement mode
+- policy definition
+- parameters
+
+For example, the following JSON shows a policy assignment in _DoNotEnforce_ mode with dynamic parameters:
+
+```json
+{
+    "properties": {
+        "displayName": "Enforce resource naming rules",
+        "description": "Force resource names to begin with DeptA and end with -LC",
+        "metadata": {
+            "assignedBy": "Cloud Center of Excellence"
+        },
+        "enforcementMode": "DoNotEnforce",
+        "policyDefinitionId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",
+        "parameters": {
+            "prefix": {
+                "value": "DeptA"
+            },
+            "suffix": {
+                "value": "-LC"
+            }
+        }
+    }
+}
+```
+
+All Azure Policy samples are at [Azure Policy samples](../samples/index.md).
+
+## Display name and description
+
+You use **displayName** and **description** to identify the policy assignment and provide context
+for its use with the specific set of resources. **displayName** has a maximum length of _128_
+characters and **description** a maximum length of _512_ characters.
+
+## Enforcement Mode
+
+The **enforcementMode** property provides customers the ability to test the outcome of a policy on
+existing resources without initiating the policy effect or triggering entries in the [Azure Activity log](../../../azure-monitor/platform/activity-logs-overview.md).
+This scenario is commonly referred to as "What If" and aligns to safe deployment practices.
+
+This property has the following values:
+
+|Mode |JSON Value |Type |Remediate manually |Activity log entry |Description |
+|-|-|-|-|-|-|
+|Enabled |Default |string |Yes |Yes |The policy effect is enforced during resource creation or update. |
+|Disabled |DoNotEnforce |string |Yes |No | The policy effect isn't enforced during resource creation or update. |
+
+If **enforcementMode** isn't specified in a policy or initiative definition, the value _Default_ is
+used. [Remediation tasks](../how-to/remediate-resources.md) can be started for [deployIfNotExists](./effects.md#deployifnotexists)
+policies, even when **enforcementMode** is set to _DoNotEnforce_.
+
+## Policy definition ID
+
+This field must be the full path name of either a policy definition or an initiative definition.
+`policyDefinitionId` is a string and not an array. It's recommended that if multiple policies are
+often assigned together, to use an [initiative](./definition-structure.md#initiatives) instead.
+
+## Parameters
+
+This segment of the policy assignment provides the values for the parameters defined in the [policy definition or initiative definition](./definition-structure.md#parameters).
+This design makes it possible to reuse a policy or initiative definition with different resources,
+but check for different business values or outcomes.
+
+```json
+"parameters": {
+    "prefix": {
+        "value": "DeptA"
+    },
+    "suffix": {
+        "value": "-LC"
+    }
+}
+```
+
+In this example, the parameters previously defined in the policy definition are `prefix` and
+`suffix`. This particular policy assignment sets `prefix` to **DeptA** and `suffix` to **-LC**. The
+same policy definition is reusable with a different set of parameters for a different department,
+reducing the duplication and complexity of policy definitions while providing flexibility.
+
+## Next steps
+
+- Learn about the [policy definition structure](./definition-structure.md).
+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
+- Learn how to [get compliance data](../how-to/getting-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

articles/governance/policy/concepts/definition-structure.md

@@ -17,7 +17,7 @@ you can specify that only certain types of virtual machines are allowed. Or, you
 all resources have a particular tag. Policies are inherited by all child resources. If a policy is
 applied to a resource group, it's applicable to all the resources in that resource group.
 
-The schema used by Azure Policy can be found here: [https://schema.management.azure.com/schemas/2018-05-01/policyDefinition.json](https://schema.management.azure.com/schemas/2018-05-01/policyDefinition.json)
+The schema used by Azure Policy can be found here: [https://docs.microsoft.com/azure/templates/microsoft.authorization/2019-01-01/policydefinitions](/azure/templates/microsoft.authorization/2019-01-01/policydefinitions)
 
 You use JSON to create a policy definition. The policy definition contains elements for:
 

articles/governance/policy/concepts/evaluate-impact.md

@@ -0,0 +1,124 @@
+---
+title: Evaluate the impact of a new Azure policy
+description: Understand the process to follow when introducing a new policy into your Azure environment.
+author: DCtheGeek
+ms.author: dacoulte
+ms.date: 09/23/2019
+ms.topic: conceptual
+ms.service: azure-policy
+manager: carmonm
+---
+# Evaluate the impact of a new Azure policy
+
+Azure Policy is a powerful tool for managing your Azure resources to business standards and to meet
+compliance needs. When people, processes, or pipelines create or update resources, Azure Policy
+reviews the request. When the policy definition effect is [Append](./effects.md#deny) or [DeployIfNotExists](./effects.md#deployifnotexists),
+Policy alters the request or adds to it. When the policy definition effect is [Audit](./effects.md#audit)
+or [AuditIfNotExists](./effects.md#auditifnotexists), Policy causes an Activity log entry to be
+created. And when the policy definition effect is [Deny](./effects.md#deny), Policy stops the
+creation or alteration of the request.
+
+These outcomes are exactly as desired when you know the policy is defined correctly. However, it's
+important to validate a new policy works as intended before allowing it to change or block work. The
+validation must ensure only the intended resources are determined to be non-compliant and no
+compliant resources are incorrectly included (known as a _false positive_) in the results.
+
+The recommended approach to validating a new policy definition is by following these steps:
+
+- Tightly define your policy
+- Audit your existing resources
+- Audit new or updated resource requests
+- Deploy your policy to resources
+- Continuous monitoring
+
+## Tightly define your policy
+
+It's important to understand how the business policy is implemented as a policy definition and the
+relationship of Azure resources with other Azure services. This step is accomplished by
+[identifying the requirements](../tutorials/create-custom-policy-definition.md#identify-requirements)
+and
+[determining the resource properties](../tutorials/create-custom-policy-definition.md#determine-resource-properties).
+But it's also important to see beyond the narrow definition of your business policy. Does your
+policy state for example "All Virtual Machines must..."? What about other Azure services that make
+use of VMs, such as HDInsight or AKS? When defining a policy, we must consider how this policy
+impacts resources that are used by other services.
+
+For this reason, your policy definitions should be as tightly defined and focused on the resources
+and the properties you need to evaluate for compliance as possible.
+
+## Audit existing resources
+
+Before looking to manage new or updated resources with your new policy definition, it's best to see
+how it evaluates a limited subset of existing resources, such as a test resource group. Use the [enforcement mode](./assignment-structure.md#enforcement-mode)
+_Disabled_ (DoNotEnforce) on your policy assignment to prevent the [effect](./effects.md) from
+triggering or activity log entries from being created.
+
+This step gives you a chance to evaluate the compliance results of the new policy on existing
+resources without impacting work flow. Check that no compliant resources are marked as non-compliant
+(_false positive_) and that all the resources you expect to be non-compliant are marked correctly.
+After the initial subset of resources validates as expected, slowly expand the evaluation to all
+existing resources.
+
+Evaluating existing resources in this way also provides an opportunity to remediate non-compliant
+resources before full implementation of the new policy. This cleanup can be done manually or through
+a [remediation task](../how-to/remediate-resources.md) if the policy definition effect is
+_DeployIfNotExists_.
+
+## Audit new or updated resources
+
+Once you've validated your new policy definition is reporting correctly on existing resources, it's
+time to look at the impact of the policy when resources get created or updated. If the policy
+definition supports effect parameterization, use [Audit](./effects.md#audit). This configuration
+allows you to monitor the creation and updating of resources to see if the new policy definition
+triggers an entry in Azure Activity log for a resource that is non-compliant without impacting
+existing work or requests.
+
+It's recommended to both update and create new resources that match your policy definition to see
+that the _Audit_ effect is correctly being triggered when expected. Be on the lookout for resource
+requests that shouldn't be impacted by the new policy definition that trigger the _Audit_ effect.
+These impacted resources are another example of _false positives_ and must be fixed in the policy
+definition before full implementation.
+
+In the event the policy definition is changed at this stage of testing, it's recommended to begin
+the validation process over with the auditing of existing resources. A change to the policy
+definition for a _false positive_ on new or updated resources is likely to also have an impact on
+existing resources.
+
+## Deploy your policy to resources
+
+After completing validation of your new policy definition with both existing resources and new or
+updated resource requests, you begin the process of implementing the policy. It's recommended to
+create the policy assignment for the new policy definition to a subset of all resources first, such
+as a resource group. After validating initial deployment, extend the scope of the policy to broader
+and broader levels, such as subscriptions and management groups. This expansion is achieved by
+removing the assignment and creating a new one at the target scopes until it's assigned to the full
+scope of resources intended to be covered by your new policy definition.
+
+During rollout, if resources are located that should be exempt from your new policy definition,
+address them in one of the following ways:
+
+- Update the policy definition to be more explicit to reduce unintended impact
+- Change the scope of the policy assignment (by removing and creating a new assignment)
+- Add the group of resources to the exclusion list for the policy assignment
+
+Any changes to the scope (level or exclusions) should be fully validated and communicated with your
+security and compliance organizations to ensure there are no gaps in coverage.
+
+## Monitor your policy and compliance
+
+Implementing and assigning your policy definition isn't the final step. Continuously monitor the [compliance](../how-to/get-compliance-data.md)
+level of resources to your new policy definition and setup appropriate [Azure Monitor alerts and notifications](../../../azure-monitor/platform/alerts-overview.md)
+for when non-compliant devices are identified. It's also recommended to evaluate the policy
+definition and related assignments on a scheduled basis to validate the policy definition is meeting
+business policy and compliance needs. Policies should be removed if no longer needed. Policies also
+need updating from time to time as the underlying Azure resources evolve and add new properties and
+capabilities.
+
+## Next steps
+
+- Learn about the [policy definition structure](./definition-structure.md).
+- Learn about the [policy assignment structure](./assignment-structure.md).
+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
+- Learn how to [get compliance data](../how-to/getting-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

articles/governance/policy/toc.yml

@@ -257,6 +257,12 @@
   - name: Understand Policy effects
     displayName: order, evaluation
     href: ./concepts/effects.md
+  - name: Azure Policy assignment structure
+    displayName: parameters, enforcementmode, policyDefinitionId
+    href: ./concepts/assignment-structure.md
+  - name: Evaluate the impact of a new policy
+    displayName: audit, enforcementmode, compliance
+    href: ./concepts/evaluate-impact.md
   - name: Azure Policy for Kubernetes
     displayName: aks, rego, k8s, opa, open policy agent, gatekeeper
     href: ./concepts/rego-for-aks.md