Merge pull request #214621 from shanhix1/patch-16

More selectors & overrides additions

Author: v-regandowner

articles/governance/policy/concepts/assignment-structure.md

@@ -19,17 +19,17 @@ resource properties with different needs for compliance.
 
 You use JavaScript Object Notation (JSON) to create a policy assignment. The policy assignment contains elements for:
 
-- display name
-- description
-- metadata
-- enforcement mode
-- excluded scopes
-- policy definition
-- non-compliance messages
-- parameters
-- identity
-- resource selectors (preview)
-- overrides (preview)
+- [display name](#display-name-and-description)
+- [description](#display-name-and-description)
+- [metadata](#metadata)
+- [resource selectors (preview)](#resource-selectors-preview)
+- [overrides (preview)](#overrides-preview)
+- [enforcement mode](#enforcement-mode)
+- [excluded scopes](#excluded-scopes)
+- [policy definition](#policy-definition-id)
+- [non-compliance messages](#non-compliance-messages)
+- [parameters](#parameters)
+- [identity](#identity)
 
 For example, the following JSON shows a policy assignment in _DoNotEnforce_ mode with dynamic
 parameters:
@@ -191,15 +191,22 @@ shows our policy assignment with two additional Azure regions added to the **SDP
 
 Resource selectors have the following properties:
 - `name`: The name of the resource selector.
-- `selectors`: The factor used to determine which subset of resources applicable to the policy assignment should be evaluated for compliance.
-  - `kind`: The property of a `selector` that describes what characteristic will narrow down the set of evaluated resources. Each 'kind' can only be used once in a single resource selector. Allowed values are:
-    - `resourceLocation`: This is used to select resources based on their type. Can be used in up to 10 resource selectors. Cannot be used in the same resource selector as `resourceWithoutLocation`.
+
+- `selectors`: (Optional) The property used to determine which subset of resources applicable to the policy assignment should be evaluated for compliance.
+
+  - `kind`: The property of a selector that describes what characteristic will narrow down the set of evaluated resources. Each kind can only be used once in a single resource selector. Allowed values are:
+
+    - `resourceLocation`: This is used to select resources based on their type. Cannot be used in the same resource selector as `resourceWithoutLocation`.
+
     - `resourceType`: This is used to select resources based on their type.
+
     - `resourceWithoutLocation`: This is used to select resources at the subscription level which do not have a location. Currently only supports `subscriptionLevelResources`. Cannot be used in the same resource selector as `resourceLocation`.
+
   - `in`: The list of allowed values for the specified `kind`. Cannot be used with `notIn`. Can contain up to 50 values.
+
   - `notIn`: The list of not-allowed values for the specified `kind`. Cannot be used with `in`. Can contain up to 50 values.
 
-A **resource selector** can contain multiple **selectors**. To be applicable to a resource selector, a resource must meet requirements specified by all its selectors. Further, multiple **resource selectors** can be specified in a single assignment. In-scope resources are evaluated when they satisfy any one of these resource selectors.
+A **resource selector** can contain multiple **selectors**. To be applicable to a resource selector, a resource must meet requirements specified by all its selectors. Further, up to 10 **resource selectors** can be specified in a single assignment. In-scope resources are evaluated when they satisfy any one of these resource selectors.
 
 ## Overrides (preview)
 
@@ -234,7 +241,22 @@ Let's take a look at an example. Imagine you have a policy initiative named _Cos
 }
 ```
 
-Note that one override can be used to replace the effect of many policies by specifying multiple values in the policyDefinitionReferenceId array. A single override can be used for up to 50 policyDefinitionReferenceIds, and a single policy assignment can contain up to 10 overrides, evaluated in the order in which they are specified. Before the assignment is created, the effect chosen in the override is validated against the policy rule and parameter allowed value list, in cases where the effect is [parameterized](definition-structure.md#parameters). 
+Overrides have the following properties:
+- `kind`: The property the assignment will override. The supported kind is `policyEffect`.
+
+- `value`: The new value which will override the existing value. The supported values are [effects](effects.md).
+
+- `selectors`: (Optional) The property used to determine what scope of the policy assignment should take on the override.
+
+  - `kind`: The property of a selector that describes what characteristic will narrow down the scope of the override. Allowed value for `kind: policyEffect` is:
+
+    - `policyDefinitionReferenceId`: This specifies which policy definitions within an initiative assignment should take on the effect override.
+
+  - `in`: The list of allowed values for the specified `kind`. Cannot be used with `notIn`. Can contain up to 50 values.
+
+  - `notIn`: The list of not-allowed values for the specified `kind`. Cannot be used with `in`. Can contain up to 50 values.
+
+Note that one override can be used to replace the effect of many policies by specifying multiple values in the policyDefinitionReferenceId array. A single override can be used for up to 50 policyDefinitionReferenceIds, and a single policy assignment can contain up to 10 overrides, evaluated in the order in which they are specified. Before the assignment is created, the effect chosen in the override is validated against the policy rule and parameter allowed value list (in cases where the effect is [parameterized](definition-structure.md#parameters)). 
 
 ## Enforcement mode
 

articles/governance/policy/concepts/exemption-structure.md

@@ -17,13 +17,15 @@ see [Understand scope in Azure Policy](./scope.md). Azure Policy exemptions only
 
 You use JavaScript Object Notation (JSON) to create a policy exemption. The policy exemption contains elements for:
 
-- display name
-- description
-- metadata
-- policy assignment
-- policy definitions within an initiative
-- exemption category
-- expiration
+- [display name](#display-name-and-description)
+- [description](#display-name-and-description)
+- [metadata](#metadata)
+- [policy assignment](#policy-assignment-id)
+- [policy definitions within an initiative](#policy-definition-ids)
+- [exemption category](#exemption-category)
+- [expiration](#expiration)
+- [resource selectors](#resource-selectors-preview)
+- [assignment scope validation](#assignment-scope-validation-preview)
 
 > [!NOTE]
 > A policy exemption is created as a child object on the resource hierarchy or the individual
@@ -58,7 +60,8 @@ two of the policy definitions in the initiative, the `customOrgPolicy` custom po
             "allowedLocations"
         ],
         "exemptionCategory": "waiver",
-        "expiresOn": "2020-12-31T23:59:00.0000000Z"
+        "expiresOn": "2020-12-31T23:59:00.0000000Z",
+        "assignmentScopeValidation": "Default"
     }
 }
 ```
@@ -136,6 +139,62 @@ format `yyyy-MM-ddTHH:mm:ss.fffffffZ`.
 > The policy exemptions isn't deleted when the `expiresOn` date is reached. The object is preserved
 > for record-keeping, but the exemption is no longer honored.
 
+## Resource selectors (preview)
+
+Exemptions support an optional property `resourceSelectors`. This property works the same way in exemptions as it does in assignments, allowing for gradual rollout or rollback of an _exemption_ to certain subsets of resources in a controlled manner based on resource type, resource location, or whether the resource has a location. More details about how to use resource selectors can be found in the [assignment structure](assignment-structure.md#resource-selectors-preview). Below is an example exemption JSON which leverages resource selectors. In this example, only resources in `westcentralus` will be exempt from the policy assignment:
+
+```json
+{
+    "properties": {
+        "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/CostManagement",
+        "policyDefinitionReferenceIds": [
+            "limitSku", "limitType"
+        ],
+        "exemptionCategory": "Waiver",
+        "resourceSelectors": [
+            {
+                "name": "TemporaryMitigation",
+                "selectors": [
+                    {
+                        "kind": "resourceLocation",
+                        "in": [ "westcentralus" ]
+                    }
+                ]
+            }
+        ]
+    },
+    "systemData": { ... },
+    "id": "/subscriptions/{subId}/resourceGroups/demoCluster/providers/Microsoft.Authorization/policyExemptions/DemoExpensiveVM",
+    "type": "Microsoft.Authorization/policyExemptions",
+    "name": "DemoExpensiveVM"
+}
+```
+
+Regions can be added or removed from the `resourceLocation` list in the example above. Resource selectors allow for greater flexibility of where and how exemptions can be created and managed.
+
+## Assignment scope validation (preview)
+
+In most scenarios, the exemption scope is validated to ensure it is at or under the policy assignment scope. The optional `assignmentScopeValidation` property can allow an exemption to bypass this validation and be created outside of the assignment scope. This is intended for situations where a subscription needs to be moved from one management group (MG) to another, but the move would be blocked by policy due to properties of resources within the subscription. In this scenario, an exemption could be created for the subscription in its current MG to exempt its resources from a policy assignment on the destination MG. That way, when the subscription is moved into the destination MG, the operation is not blocked because resources are already exempt from the policy assignment in question. The use of this property is illustrated below:
+
+```json
+{
+    "properties": {
+        "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/{mgB}/providers/Microsoft.Authorization/policyAssignments/CostManagement",
+        "policyDefinitionReferenceIds": [
+            "limitSku", "limitType"
+        ],
+        "exemptionCategory": "Waiver",
+        "assignmentScopeValidation": "DoNotValidate",
+    },
+    "systemData": { ... },
+    "id": "/subscriptions/{subIdA}/providers/Microsoft.Authorization/policyExemptions/DemoExpensiveVM",
+    "type": "Microsoft.Authorization/policyExemptions",
+    "name": "DemoExpensiveVM"
+}
+```
+
+Allowed values for `assignmentScopeValidation` are `Default`and `DoNotValidate`. If not specified, the default validation process will occur.
+
 ## Required permissions
 
 The Azure RBAC permissions needed to manage Policy exemption objects are in the
@@ -159,4 +218,4 @@ assignment.
 - Learn how to [get compliance data](../how-to/get-compliance-data.md).
 - Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
 - Review what a management group is with
-  [Organize your resources with Azure management groups](../../management-groups/overview.md).
+  [Organize your resources with Azure management groups](../../management-groups/overview.md).