Merge pull request #96765 from DCtheGeek/dmc-policy-overview

GitHubber17 · web-flow · commit 93f1ead43fd4 · 2019-11-21T12:57:36.000-08:00
Updating Overview
diff --git a/articles/governance/policy/overview.md b/articles/governance/policy/overview.md
@@ -1,26 +1,26 @@
 ---
 title: Overview of Azure Policy
 description: Azure Policy is a service in Azure, that you use to create, assign and, manage policy definitions in your Azure environment.
-ms.date: 12/06/2018
+ms.date: 11/21/2019
 ms.topic: overview
 ---
 # Overview of the Azure Policy service
 
 Governance validates that your organization can achieve its goals through effective and efficient
 use of IT. It meets this need by creating clarity between business goals and IT projects.
 
-Does your company experience a significant number of IT issues that never seem to get resolved?
-Good IT governance involves planning your initiatives and setting priorities on a strategic level
-to help manage and prevent issues. This strategic need is where Azure Policy comes in.
+Does your company experience a significant number of IT issues that never seem to get resolved? Good
+IT governance involves planning your initiatives and setting priorities on a strategic level to help
+manage and prevent issues. This strategic need is where Azure Policy comes in.
 
 Azure Policy is a service in Azure that you use to create, assign, and manage policies. These
 policies enforce different rules and effects over your resources, so those resources stay compliant
 with your corporate standards and service level agreements. Azure Policy meets this need by
 evaluating your resources for non-compliance with assigned policies. For example, you can have a
-policy to allow only a certain SKU size of virtual machines in your environment. Once this policy
-is implemented, new and existing resources are evaluated for compliance. With the right type of
-policy, existing resources can be brought into compliance. Later in this documentation, we'll go
-over more details on how to create and implement policies with Azure Policy.
+policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is
+implemented, new and existing resources are evaluated for compliance. With the right type of policy,
+existing resources can be brought into compliance. Later in this documentation, we'll go over more
+details on how to create and implement policies with Azure Policy.
 
 > [!IMPORTANT]
 > Azure Policy's compliance evaluation is now provided for all assignments
@@ -50,7 +50,8 @@ role includes most Azure Policy operations. **Owner** has full rights. Both **Co
 **Reader** can use all read Azure Policy operations, but **Contributor** can also trigger
 remediation.
 
-If none of the Built-in roles have the permissions required, create a [custom role](../../role-based-access-control/custom-roles.md).
+If none of the Built-in roles have the permissions required, create a
+[custom role](../../role-based-access-control/custom-roles.md).
 
 ## Policy definition
 
@@ -60,11 +61,16 @@ effect that takes place if the conditions are met.
 
 In Azure Policy, we offer several built-in policies that are available by default. For example:
 
-- **Allowed Storage Account SKUs**: Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
-- **Allowed Resource Type**: Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.
-- **Allowed Locations**: Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements.
+- **Allowed Storage Account SKUs**: Determines if a storage account being deployed is within a set
+  of SKU sizes. Its effect is to deny all storage accounts that don't adhere to the set of defined
+  SKU sizes.
+- **Allowed Resource Type**: Defines the resource types that you can deploy. Its effect is to deny
+  all resources that aren't part of this defined list.
+- **Allowed Locations**: Restricts the available locations for new resources. Its effect is used to
+  enforce your geo-compliance requirements.
 - **Allowed Virtual Machine SKUs**: Specifies a set of virtual machine SKUs that you can deploy.
-- **Add a tag to resources**: Applies a required tag and its default value if it's not specified by the deploy request.
+- **Add a tag to resources**: Applies a required tag and its default value if it's not specified by
+  the deploy request.
 - **Enforce tag and its value**: Enforces a required tag and its value to a resource.
 - **Not allowed resource types**: Prevents a list of resource types from being deployed.
 
@@ -75,7 +81,8 @@ Policy evaluation happens with several different actions, such as policy assignm
 updates. For a complete list, see [Policy evaluation
 triggers](./how-to/get-compliance-data.md#evaluation-triggers).
 
-To learn more about the structures of policy definitions, review [Policy Definition Structure](./concepts/definition-structure.md).
+To learn more about the structures of policy definitions, review
+[Policy Definition Structure](./concepts/definition-structure.md).
 
 ## Policy assignment
 
@@ -88,8 +95,8 @@ in that resource group. However, you can exclude a subscope from the policy assi
 
 For example, at the subscription scope, you can assign a policy that prevents the creation of
 networking resources. You could exclude a resource group in that subscription that is intended for
-networking infrastructure. You then grant access to this networking resource group to users that
-you trust with creating networking resources.
+networking infrastructure. You then grant access to this networking resource group to users that you
+trust with creating networking resources.
 
 In another example, you might want to assign a resource type allow list policy at the management
 group level. And then assign a more permissive policy (allowing more resource types) on a child
@@ -99,8 +106,8 @@ subscription from the management group-level policy assignment. Then, assign the
 policy on the child management group or subscription level. If any policy results in a resource
 getting denied, then the only way to allow the resource is to modify the denying policy.
 
-For more information on setting policy definitions and assignments through the portal, see [Create
-a policy assignment to identify non-compliant resources in your Azure
+For more information on setting policy definitions and assignments through the portal, see [Create a
+policy assignment to identify non-compliant resources in your Azure
 environment](assign-policy-portal.md). Steps for [PowerShell](assign-policy-powershell.md) and
 [Azure CLI](assign-policy-azurecli.md) are also available.
 
@@ -112,12 +119,13 @@ generic. Then you can reuse that policy definition for different scenarios. You
 different values when assigning the policy definition. For example, specifying one set of locations
 for a subscription.
 
-Parameters are defined when creating a policy definition. When a parameter is defined, it's
-given a name and optionally given a value. For example, you could define a parameter for a policy
-titled *location*. Then you can give it different values such as *EastUS* or *WestUS* when
-assigning a policy.
+Parameters are defined when creating a policy definition. When a parameter is defined, it's given a
+name and optionally given a value. For example, you could define a parameter for a policy titled
+*location*. Then you can give it different values such as *EastUS* or *WestUS* when assigning a
+policy.
 
-For more information about policy parameters, see [Definition structure - Parameters](./concepts/definition-structure.md#parameters).
+For more information about policy parameters, see
+[Definition structure - Parameters](./concepts/definition-structure.md#parameters).
 
 ## Initiative definition
 
@@ -127,11 +135,18 @@ definitions. They simplify by grouping a set of policies as one single item. For
 create an initiative titled **Enable Monitoring in Azure Security Center**, with a goal to monitor
 all the available security recommendations in your Azure Security Center.
 
+> [!NOTE]
+> The SDK, such as Azure CLI and Azure PowerShell, use properties and parameters named **PolicySet**
+> to refer to initiatives.
+
 Under this initiative, you would have policy definitions such as:
 
-- **Monitor unencrypted SQL Database in Security Center** – For monitoring unencrypted SQL databases and servers.
-- **Monitor OS vulnerabilities in Security Center** – For monitoring servers that don't satisfy the configured baseline.
-- **Monitor missing Endpoint Protection in Security Center** – For monitoring servers without an installed endpoint protection agent.
+- **Monitor unencrypted SQL Database in Security Center** – For monitoring unencrypted SQL databases
+  and servers.
+- **Monitor OS vulnerabilities in Security Center** – For monitoring servers that don't satisfy the
+  configured baseline.
+- **Monitor missing Endpoint Protection in Security Center** – For monitoring servers without an
+  installed endpoint protection agent.
 
 ## Initiative assignment
 
@@ -148,7 +163,8 @@ Like policy parameters, initiative parameters help simplify initiative managemen
 redundancy. Initiative parameters are parameters being used by the policy definitions within the
 initiative.
 
-For example, take a scenario where you have an initiative definition - **initiativeC**, with policy definitions **policyA** and **policyB** each expecting a different type of parameter:
+For example, take a scenario where you have an initiative definition - **initiativeC**, with policy
+definitions **policyA** and **policyB** each expecting a different type of parameter:
 
 | Policy | Name of parameter |Type of parameter  |Note |
 |---|---|---|---|
@@ -158,9 +174,15 @@ For example, take a scenario where you have an initiative definition - **initiat
 In this scenario, when defining the initiative parameters for **initiativeC**, you have three
 options:
 
-- Use the parameters of the policy definitions within this initiative: In this example, *allowedLocations* and *allowedSingleLocation* become initiative parameters for **initiativeC**.
-- Provide values to the parameters of the policy definitions within this initiative definition. In this example, you can provide a list of locations to **policyA's parameter – allowedLocations** and **policyB's parameter – allowedSingleLocation**. You can also provide values when assigning this initiative.
-- Provide a list of *value* options that can be used when assigning this initiative. When you assign this initiative, the inherited parameters from the policy definitions within the initiative, can only have values from this provided list.
+- Use the parameters of the policy definitions within this initiative: In this example,
+  *allowedLocations* and *allowedSingleLocation* become initiative parameters for **initiativeC**.
+- Provide values to the parameters of the policy definitions within this initiative definition. In
+  this example, you can provide a list of locations to **policyA's parameter – allowedLocations**
+  and **policyB's parameter – allowedSingleLocation**. You can also provide values when assigning
+  this initiative.
+- Provide a list of *value* options that can be used when assigning this initiative. When you assign
+  this initiative, the inherited parameters from the policy definitions within the initiative, can
+  only have values from this provided list.
 
 When creating value options in an initiative definition, you're unable to input a different value
 during the initiative assignment because it's not part of the list.
@@ -174,30 +196,31 @@ during the initiative assignment because it's not part of the list.
 Here are a few pointers and tips to keep in mind:
 
 - Start with an audit effect instead of a deny effect to track impact of your policy definition on
-the resources in your environment. If you have scripts already in place to autoscale your
-applications, setting a deny effect may hinder such automation tasks already in place.
+  the resources in your environment. If you have scripts already in place to autoscale your
+  applications, setting a deny effect may hinder such automation tasks already in place.
 
 - Consider organizational hierarchies when creating definitions and assignments. We recommend
-creating definitions at higher levels such as the management group or subscription level. Then,
-create the assignment at the next child level. If you create a definition at a management group,
-the assignment can be scoped down to a subscription or resource group within that management group.
+  creating definitions at higher levels such as the management group or subscription level. Then,
+  create the assignment at the next child level. If you create a definition at a management group,
+  the assignment can be scoped down to a subscription or resource group within that management
+  group.
 
 - We recommend creating and assigning initiative definitions even for a single policy definition.
-For example, you have policy definition *policyDefA* and create it under initiative definition
-*initiativeDefC*. If you create another policy definition later for *policyDefB* with goals similar
-to *policyDefA*, you can add it under *initiativeDefC* and track them together.
+  For example, you have policy definition *policyDefA* and create it under initiative definition
+  *initiativeDefC*. If you create another policy definition later for *policyDefB* with goals
+  similar to *policyDefA*, you can add it under *initiativeDefC* and track them together.
 
-- Once you've created an initiative assignment, policy definitions added to the initiative also become
-part of that initiatives assignments.
+- Once you've created an initiative assignment, policy definitions added to the initiative also
+  become part of that initiatives assignments.
 
-- When an initiative assignment is evaluated, all policies within the initiative are also
-evaluated. If you need to evaluate a policy individually, it's better to not include it in an
-initiative.
+- When an initiative assignment is evaluated, all policies within the initiative are also evaluated.
+  If you need to evaluate a policy individually, it's better to not include it in an initiative.
 
 ## Video overview
 
-The following overview of Azure Policy is from Build 2018. For slides or video download,
-visit [Govern your Azure environment through Azure Policy](https://channel9.msdn.com/events/Build/2018/THR2030) on Channel 9.
+The following overview of Azure Policy is from Build 2018. For slides or video download, visit
+[Govern your Azure environment through Azure Policy](https://channel9.msdn.com/events/Build/2018/THR2030)
+on Channel 9.
 
 > [!VIDEO https://www.youtube.com/embed/dxMaYF2GB7o]
 
@@ -206,8 +229,8 @@ visit [Govern your Azure environment through Azure Policy](https://channel9.msdn
 Now that you have an overview of Azure Policy and some of the key concepts, here are the suggested
 next steps:
 
-- [Assign a policy definition using the portal](assign-policy-portal.md).
-- [Assign a policy definition using the Azure CLI](assign-policy-azurecli.md).
-- [Assign a policy definition using PowerShell](assign-policy-powershell.md).
-- Review what a management group is with [Organize your resources with Azure management groups](..//management-groups/overview.md).
-- View [Govern your Azure environment through Azure Policy](https://channel9.msdn.com/events/Build/2018/THR2030) on Channel 9.
+- [Assign a policy definition using the portal](./assign-policy-portal.md).
+- [Assign a policy definition using the Azure CLI](./assign-policy-azurecli.md).
+- [Assign a policy definition using PowerShell](./assign-policy-powershell.md).
+- Review what a management group is with [Organize your resources with Azure management groups](../management-groups/overview.md).
+- View [Govern your Azure environment through Azure Policy](https://channel9.msdn.com/events/Build/2018/THR2030) on Channel 9.
