You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/policy-applicability.md
+22-16Lines changed: 22 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,32 +6,38 @@ ms.topic: conceptual
6
6
ms.author: timwarner
7
7
author: timwarner-msft
8
8
---
9
-
# Azure Policy applicability logic
9
+
# What is applicability in Azure Policy?
10
10
11
-
Azure Policy effects are applied based on the evaluation result of the
12
-
**If** condition(s) defined in the definition JavaScript Object Notation (JSON)
13
-
file.
11
+
When a policy definition is assigned to a scope, Azure Policy scans every resource in that scope to determine what should be considered for compliance evaluation. A resource will only be assessed for compliance if it is considered **applicable** to the given policy assignment.
12
+
13
+
Applicability is determined by several factors:
14
+
-**Conditions** in the `if` block of the [policy rule](../concepts/definition-structure.md#policy-rule).
15
+
-**Mode** of the policy definition.
16
+
-**Excluded scopes** secified in the assignment.
17
+
-**Exemptions** of resources or resource hierarchies.
18
+
19
+
Condition(s) in the `if` block of the policy rule are evaluated for applicability in slightly different ways based on the effect.
20
+
21
+
> [!NOTE]
22
+
> Applicability is different from compliance, and the logic used to determine each is different. If a resource is **applicable** that means it is relevant to the policy. If a resource is **compliant** that means it adheres to the policy. Sometimes only certain conditions from the policy rule impact applicability, while all conditions of the policy rule impact compliance state.
14
23
15
24
## Applicability logic for Append/Modify/Audit/Deny/DataPlane effects
16
25
17
-
Azure Policy evaluates only type, name, and kind conditions in the **If**expression and treats other conditions as true (false when negated). **If** the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable.
26
+
Azure Policy evaluates only `type`, `name`, and `kind` conditions in the policy rule `if`expression and treats other conditions as true (or false when negated). If the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable.
18
27
19
28
Following are special cases to the previously described applicability logic:
20
29
21
-
- Any invalid aliases in the **If** conditions
22
-
- The policy is not applicable
23
-
- When the **If** conditions consist of only kind conditions
24
-
- The policy is applicable to all resources.
25
-
- When the **If** conditions consist of only name conditions
26
-
- The policy is applicable to all resources.
27
-
- When the **If** conditions consist of only type and kind conditions
28
-
- It depends on which field the first condition in the **If** refers to. It applies the applicability logic with conditions with that field only. For example, when a **type** field appears in the first condition of the **If**, only type conditions are considered when deciding applicability. When a **name** field appears in the first condition of the **If**, only type conditions are considered when deciding applicability.
29
-
- When any conditions (including deployment parameters) include a **location** condition
30
-
- Will not be applicable to subscriptions
30
+
|Scenario |Result |
31
+
|---------|---------|
32
+
|Any invalid aliases in the `if` conditions |The policy is not applicable |
33
+
|When the `if` conditions consist of only `kind` conditions |The policy is applicable to all resources |
34
+
|When the `if` conditions consist of only `name` conditions |The policy is applicable to all resources |
35
+
|When the `if` conditions consist of only `type` and `kind` or `type` and `name` conditions |Only type conditions are considered when deciding applicability |
36
+
|When any conditions (including deployment parameters) include a `location` condition |Will not be applicable to subscriptions |
31
37
32
38
## Applicability logic for AuditIfNotExists and DeployIfNotExists policy effects
33
39
34
-
The applicability is based on the **If** conditions. When the **If** evaluates to false, the policy is not applicable.
40
+
The applicability of AuditIfNotExists and DeployIfNotExists policies is based off the entire `if` condition of the policy rule. When the `if` evaluates to false, the policy is not applicable.
0 commit comments