You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/extensions/extensions-rmpolicy-howto-ps.md
+9-8Lines changed: 9 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,8 +6,9 @@ ms.service: virtual-machines
6
6
ms.subservice: extensions
7
7
ms.author: gabsta
8
8
author: GabstaMSFT
9
+
ms.reviewer: erd
9
10
ms.collection: windows
10
-
ms.date: 03/23/2018
11
+
ms.date: 03/20/2023
11
12
ms.custom: devx-track-azurepowershell
12
13
13
14
---
@@ -24,7 +25,7 @@ This tutorial uses Azure PowerShell within the Cloud Shell, which is constantly
24
25
25
26
In order to restrict what extensions can be installed, you need to have a [rule](../../governance/policy/concepts/definition-structure.md#policy-rule) to provide the logic to identify the extension.
26
27
27
-
This example shows you how to deny extensions published by 'Microsoft.Compute' by creating a rules file in Azure Cloud Shell, but if you are working in PowerShell locally, you can also create a local file and replace the path ($home/clouddrive) with the path to the local file on your machine.
28
+
This example shows you how to deny extensions published by 'Microsoft.Compute' by creating a rules file in Azure Cloud Shell, but if you're working in PowerShell locally, you can also create a local file and replace the path ($home/clouddrive) with the path to the local file on your machine.
28
29
29
30
In a [Cloud Shell](https://shell.azure.com/powershell), type:
30
31
@@ -58,13 +59,13 @@ Copy and paste the following .json into the file.
58
59
}
59
60
```
60
61
61
-
When you are done, hit the **Ctrl + O** and then **Enter** to save the file. Hit **Ctrl + X** to close the file and exit.
62
+
When you're done, hit the **Ctrl + O** and then **Enter** to save the file. Hit **Ctrl + X** to close the file and exit.
62
63
63
64
## Create a parameters file
64
65
65
66
You also need a [parameters](../../governance/policy/concepts/definition-structure.md#parameters) file that creates a structure for you to use for passing in a list of the extensions to block.
66
67
67
-
This example shows you how to create a parameters file for VMs in Cloud Shell, but if you are working in PowerShell locally, you can also create a local file and replace the path ($home/clouddrive) with the path to the local file on your machine.
68
+
This example shows you how to create a parameters file for VMs in Cloud Shell, but if you're working in PowerShell locally, you can also create a local file and replace the path ($home/clouddrive) with the path to the local file on your machine.
68
69
69
70
In [Cloud Shell](https://shell.azure.com/powershell), type:
70
71
@@ -86,13 +87,13 @@ Copy and paste the following .json into the file.
86
87
}
87
88
```
88
89
89
-
When you are done, hit the **Ctrl + O** and then **Enter** to save the file. Hit **Ctrl + X** to close the file and exit.
90
+
When you're done, hit the **Ctrl + O** and then **Enter** to save the file. Hit **Ctrl + X** to close the file and exit.
90
91
91
92
## Create the policy
92
93
93
94
A policy definition is an object used to store the configuration that you would like to use. The policy definition uses the rules and parameters files to define the policy. Create a policy definition using the [New-AzPolicyDefinition](/powershell/module/az.resources/new-azpolicydefinition) cmdlet.
94
95
95
-
The policy rules and parameters are the files you created and stored as .json files in your cloud shell.
96
+
The policy rules and parameter values below are the files you created and stored as .json files in your Cloud Shell. Replace the file paths as needed.
This example assigns the policy to a resource group using [New-AzPolicyAssignment](/powershell/module/az.resources/new-azpolicyassignment). Any VM created in the **myResourceGroup** resource group will not be able to install the VM Access Agent or Custom Script extensions.
113
+
This example assigns the policy to a resource group using [New-AzPolicyAssignment](/powershell/module/az.resources/new-azpolicyassignment). Any VM created in the **myResourceGroup** resource group won't be able to install the VM Access Agent or Custom Script extensions.
113
114
114
115
Use the [Get-AzSubscription | Format-Table](/powershell/module/az.accounts/get-azsubscription) cmdlet to get your subscription ID to use in place of the one in the example.
115
116
@@ -132,7 +133,7 @@ $assignment
132
133
133
134
## Test the policy
134
135
135
-
To test the policy, try to use the VM Access extension. The following should fail with the message "Set-AzVMAccessExtension: Resource 'myVMAccess' was disallowed by policy."
136
+
To test the policy, try to use the VM Access extension. The following should fail with the message "Set-AzVMAccessExtension: Resource 'myVMAccess' was disallowed by policy."
0 commit comments