You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/definition-structure.md
+9-2Lines changed: 9 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,8 +6,8 @@ ms.topic: conceptual
6
6
---
7
7
# Azure Policy definition structure
8
8
9
-
Resource policy definitions are used by Azure Policy to establish conventions for resources. Each
10
-
definition describes resource compliance and what effect to take when a resource is non-compliant.
9
+
Azure Policy establishes conventions for resources. Policy definitions describe resource compliance [conditions](#conditions) and the effect to take if a condition is met. A condition compares a resource property [field](#fields) to a required value. Resource property fields are accessed by using [aliases](#aliases). A resource property field is either a single-valued field or an [array](#understanding-the--alias) of multiple values. Condition evaluation is different on arrays. Learn more about [conditions](#conditions).
10
+
11
11
By defining conventions, you can control costs and more easily manage your resources. For example,
12
12
you can specify that only certain types of virtual machines are allowed. Or, you can require that
13
13
all resources have a particular tag. Policies are inherited by all child resources. If a policy is
@@ -74,6 +74,9 @@ are:
74
74
-`all`: evaluate resource groups and all resource types
75
75
-`indexed`: only evaluate resource types that support tags and location
76
76
77
+
For example, resource `Microsoft.Network/routeTables` supports tags and location and would be evaluated in both modes.
78
+
However, resource `Microsoft.Network/routeTables/routes` cannot be tagged, and would not be evaluated in `Indexed` mode.
79
+
77
80
We recommend that you set **mode** to `all` in most cases. All policy definitions created through
78
81
the portal use the `all` mode. If you use PowerShell or Azure CLI, you can specify the **mode**
79
82
parameter manually. If the policy definition doesn't include a **mode** value, it defaults to `all`
@@ -309,6 +312,10 @@ are case-insensitive. Case-insensitive alternatives are available in **matchInse
309
312
**notMatchInsensitively**. For examples, see
310
313
[Allow several name patterns](../samples/allow-multiple-name-patterns.md).
311
314
315
+
In an **\[\*\] alias** array field value, every element in the
316
+
array is evaluated individually, with logical AND between elements. For more information, see
317
+
[Evaluating the \[\*\] alias](../how-to/author-policies-for-arrays.md#evaluating-the--alias).
318
+
312
319
### Fields
313
320
314
321
Conditions are formed by using fields. A field matches properties in the resource request payload
0 commit comments