Merge pull request #267631 from davidsmatlak/ds-update-policy-portal-qs-20270228

Updates Azure Policy portal quickstart

Author: denrea

articles/governance/policy/assign-policy-portal.md

@@ -1,121 +1,74 @@
 ---
-title: "Quickstart: New policy assignment with portal"
-description: In this quickstart, you use Azure portal to create an Azure Policy assignment to identify non-compliant resources.
-ms.date: 08/17/2021
+title: "Quickstart: Create policy assignment using Azure portal"
+description: In this quickstart, you create an Azure Policy assignment to identify non-compliant resources using Azure portal.
+ms.date: 02/29/2024
 ms.topic: quickstart
 ---
-# Quickstart: Create a policy assignment to identify non-compliant resources
 
-The first step in understanding compliance in Azure is to identify the status of your resources.
-This quickstart steps you through the process of creating a policy assignment to identify virtual
-machines that aren't using managed disks.
+# Quickstart: Create a policy assignment to identify non-compliant resources using Azure portal
 
-At the end of this process, you'll successfully identify virtual machines that aren't using managed
-disks. They're _non-compliant_ with the policy assignment.
+The first step in understanding compliance in Azure is to identify the status of your resources. In this quickstart, you create a policy assignment to identify non-compliant resources using Azure portal. The policy is assigned to a resource group and audits virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines.
 
 ## Prerequisites
 
-If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account
-before you begin.
+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- A resource group with at least one virtual machine that doesn't use managed disks.
 
 ## Create a policy assignment
 
-In this quickstart, you create a policy assignment and assign the _Audit VMs that do not use managed
-disks_ policy definition.
+In this quickstart, you create a policy assignment with a built-in policy definition, [Audit VMs that do not use managed disks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json).
 
-1. Launch the Azure Policy service in the Azure portal by selecting **All services**, then searching
-   for and selecting **Policy**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for _policy_ and select it from the list.
 
-   :::image type="content" source="./media/assign-policy-portal/search-policy.png" alt-text="Screenshot of searching for Policy in All Services." border="false":::
+   :::image type="content" source="./media/assign-policy-portal/search-policy.png" alt-text="Screenshot of the Azure portal to search for policy.":::
 
-1. Select **Assignments** on the left side of the Azure Policy page. An assignment is a policy that
-   has been assigned to take place within a specific scope.
+1. Select **Assignments** on the **Policy** pane.
 
-   :::image type="content" source="./media/assign-policy-portal/select-assignments.png" alt-text="Screenshot of selecting the Assignments page from Policy Overview page." border="false":::
+   :::image type="content" source="./media/assign-policy-portal/select-assignments.png" alt-text="Screenshot of the Assignments pane that highlights the option to Assign policy.":::
 
-1. Select **Assign Policy** from the top of the **Policy - Assignments** page.
+1. Select **Assign Policy** from the **Policy Assignments** pane.
 
-   :::image type="content" source="./media/assign-policy-portal/select-assign-policy.png" alt-text="Screenshot of selecting 'Assign policy' from Assignments page." border="false":::
+1. On the **Assign Policy** pane **Basics** tab configure the following options:
 
-1. On the **Assign Policy** page, set the **Scope** by selecting the ellipsis and then selecting
-   either a management group or subscription. Optionally, select a resource group. A scope
-   determines what resources or grouping of resources the policy assignment gets enforced on. Then
-   use the **Select** button at the bottom of the **Scope** page.
+   | Field | Action |
+   | ---- | ---- |
+   | **Scope** | Use the ellipsis (`...`) and then select a subscription and a resource group. Then choose **Select** to apply the scope. |
+   | **Exclusions** | Optional and isn't used in this example. |
+   | **Policy definition** | Select the ellipsis to open the list of available definitions. |
+   | **Available Definitions** | Search the policy definitions list for _Audit VMs that do not use managed disks_ definition, select the policy, and select **Add**. |
+   | **Assignment name** | By default uses the name of the selected policy. You can change it but for this example, use the default name. |
+   | **Description** | Optional to provide details about this policy assignment. |
+   | **Policy enforcement** | Defaults to _Enabled_. For more information, go to [enforcement mode](./concepts/assignment-structure.md#enforcement-mode). |
+   | **Assigned by** | Defaults to who is signed in to Azure. This field is optional and custom values can be entered. |
 
-   This example uses the **Contoso** subscription. Your subscription will differ.
+   :::image type="content" source="./media/assign-policy-portal/select-available-definition.png" alt-text="Screenshot of filtering the available definitions.":::
 
-1. Resources can be excluded based on the **Scope**. **Exclusions** start at one level lower than
-   the level of the **Scope**. **Exclusions** are optional, so leave it blank for now.
+1. Select **Next** to view each tab for **Advanced**, **Parameters**, and **Remediation**. No changes are needed for this example.
 
-1. Select the **Policy definition** ellipsis to open the list of available definitions. Azure Policy
-   comes with built-in policy definitions you can use. Many are available, such as:
+   | Tab name | Options |
+   | ---- | ---- |
+   | **Advanced** | Includes options for [resource selectors](./concepts/assignment-structure.md#resource-selectors-preview) and [overrides](./concepts/assignment-structure.md#overrides-preview). |
+   | **Parameters** | If the policy definition you selected on the **Basics** tab included parameters, they're configured on **Parameters** tab. This example doesn't use parameters. |
+   | **Remediation** | You can create a managed identity. For this example, **Create a Managed Identity** is unchecked. <br><br> This box _must_ be checked when a policy or initiative includes a policy with either the [deployIfNotExists](./concepts/effects.md#deployifnotexists) or [modify](./concepts/effects.md#modify) effect. For more information, go to [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) and [how remediation access control works](./how-to/remediate-resources.md#how-remediation-access-control-works). |
 
-   - Enforce tag and its value
-   - Apply tag and its value
-   - Inherit a tag from the resource group if missing
+1. Select **Next** and on the **Non-compliance messages** tab create a **Non-compliance message** like _Virtual machines should use managed disks_.
 
-   For a partial list of available built-in policies, see [Azure Policy samples](./samples/index.md).
+   This custom message is displayed when a resource is denied or for non-compliant resources during regular evaluation.
 
-1. Search through the policy definitions list to find the _Audit VMs that do not use managed disks_
-   definition. Select that policy and then use the **Select** button.
+1. Select **Next** and on the **Review + create** tab, review the policy assignment details.
 
-   :::image type="content" source="./media/assign-policy-portal/select-available-definition.png" alt-text="Screenshot of filtering the available definitions." border="false":::
-
-1. The **Assignment name** is automatically populated with the policy name you selected, but you can
-   change it. For this example, leave _Audit VMs that do not use managed disks_. You can also add an
-   optional **Description**. The description provides details about this policy assignment.
-   **Assigned by** will automatically fill based on who is logged in. This field is optional, so
-   custom values can be entered.
-
-1. Leave policy enforcement _Enabled_. For more information, see
-   [Policy assignment - enforcement mode](./concepts/assignment-structure.md#enforcement-mode).
-
-1. Select **Next** at the bottom of the page or the **Parameters** tab at the top of the page to
-   move to the next segment of the assignment wizard.
-
-1. If the policy definition selected on the **Basics** tab included parameters, they are configured
-   on this tab. Since the _Audit VMs that do not use managed disks_ has no parameters, select
-   **Next** at the bottom of the page or the **Remediation** tab at the top of the page to move to
-   the next segment of the assignment wizard.
-
-1. Leave **Create a Managed Identity** unchecked. This box _must_ be checked when the policy or
-   initiative includes a policy with either the
-   [deployIfNotExists](./concepts/effects.md#deployifnotexists) or
-   [modify](./concepts/effects.md#modify) effect. As the policy used for this quickstart doesn't,
-   leave it blank. For more information, see
-   [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) and
-   [how remediation access control works](./how-to/remediate-resources.md#how-remediation-access-control-works).
-
-1. Select **Next** at the bottom of the page or the **Non-compliance messages** tab at the top of
-   the page to move to the next segment of the assignment wizard.
-
-1. Set the **Non-compliance message** to _Virtual machines should use a managed disk_. This custom
-   message is displayed when a resource is denied or for non-compliant resources during regular
-   evaluation.
-
-1. Select **Next** at the bottom of the page or the **Review + Create** tab at the top of the page
-   to move to the next segment of the assignment wizard.
-
-1. Review the selected options, then select **Create** at the bottom of the page.
-
-You're now ready to identify non-compliant resources to understand the compliance state of your
-environment.
+1. Select **Create** to create the policy assignment.
 
 ## Identify non-compliant resources
 
-Select **Compliance** in the left side of the page. Then locate the _Audit VMs that do not use
-managed disks_ policy assignment you created.
+On the **Policy** pane, select **Compliance** and locate the _Audit VMs that do not use managed disks_ policy assignment. The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state.
 
-:::image type="content" source="./media/assign-policy-portal/policy-compliance.png" alt-text="Screenshot of compliance details on the Policy Compliance page." border="false":::
+:::image type="content" source="./media/assign-policy-portal/policy-compliance.png" alt-text="Screenshot of the Policy Compliance that highlights the example's non-compliant policy assignment." lightbox="./media/assign-policy-portal/policy-compliance.png":::
 
-If there are any existing resources that aren't compliant with this new assignment, they appear
-under **Non-compliant resources**.
+The policy assignment shows resources that aren't compliant with a **Compliance state** of **Non-compliant**. To get more details, select the policy assignment name to view the **Resource Compliance**.
 
-When a condition is evaluated against your existing resources and found true, then those resources
-are marked as non-compliant with the policy. The following table shows how different policy effects
-work with the condition evaluation for the resulting compliance state. Although you don't see the
-evaluation logic in the Azure portal, the compliance state results are shown. The compliance state
-result is either compliant or non-compliant.
+When a condition is evaluated against your existing resources and found true, then those resources are marked as non-compliant with the policy. The following table shows how different policy effects work with the condition evaluation for the resulting compliance state. Although you don't see the evaluation logic in the Azure portal, the compliance state results are shown. The compliance state result is either compliant or non-compliant.
 
 | Resource State | Effect | Policy Evaluation | Compliance State |
 | --- | --- | --- | --- |
@@ -124,31 +77,25 @@ result is either compliant or non-compliant.
 | Exists | Deny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist | True | Non-Compliant |
 | Exists | Deny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist | False | Compliant |
 
-> [!NOTE]
-> The DeployIfNotExist and AuditIfNotExist effects require the IF statement to be TRUE and the
-> existence condition to be FALSE to be non-compliant. When TRUE, the IF condition triggers
-> evaluation of the existence condition for the related resources.
+The `DeployIfNotExist` and `AuditIfNotExist` effects require the `IF` statement to be `TRUE` and the existence condition to be `FALSE` to be non-compliant. When `TRUE`, the `IF` condition triggers evaluation of the existence condition for the related resources.
 
 ## Clean up resources
 
-To remove the assignment created, follow these steps:
+You can delete a policy assignment from **Compliance** or from **Assignments**.
+
+To remove the policy assignment created in this article, follow these steps:
 
-1. Select **Compliance** (or **Assignments**) in the left side of the Azure Policy page and locate
-   the _Audit VMs that do not use managed disks_ policy assignment you created.
+1. On the **Policy** pane, select **Compliance** and locate the _Audit VMs that do not use managed disks_ policy assignment.
 
-1. Right-click the _Audit VMs that do not use managed disks_ policy assignment and select **Delete
-   assignment**.
+1. Select the policy assignment's ellipsis and select **Delete assignment**.
 
-   :::image type="content" source="./media/assign-policy-portal/delete-assignment.png" alt-text="Screenshot of using the context menu to delete an assignment from the Compliance page." border="false":::
+   :::image type="content" source="./media/assign-policy-portal/delete-assignment.png" alt-text="Screenshot of the Compliance pane that highlights the menu to delete a policy assignment." lightbox="./media/assign-policy-portal/delete-assignment.png":::
 
 ## Next steps
 
-In this quickstart, you assigned a policy definition to a scope and evaluated its compliance report.
-The policy definition validates that all the resources in the scope are compliant and identifies
-which ones aren't.
+In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment.
 
-To learn more about assigning policies to validate that new resources are compliant, continue to the
-tutorial for:
+To learn more about how to assign policies that validate if new resources are compliant, continue to the tutorial.
 
 > [!div class="nextstepaction"]
-> [Creating and managing policies](./tutorials/create-and-manage.md)
+> [Tutorial: Create and manage policies to enforce compliance](./tutorials/create-and-manage.md)

articles/governance/policy/index.yml

@@ -10,7 +10,7 @@ metadata:
   ms.topic: landing-page
   author: davidsmatlak
   ms.author: davidsmatlak
-  ms.date: 06/02/2021
+  ms.date: 02/29/2024
 
 landingContent:
   - title: About Azure Policy
@@ -40,7 +40,7 @@ landingContent:
     linkLists:
       - linkListType: quickstart
         links:
-          - text: Assign a policy (Portal)
+          - text: Assign a policy (Azure portal)
             url: ./assign-policy-portal.md
           - text: Assign a policy (Azure CLI)
             url: ./assign-policy-azurecli.md

articles/governance/policy/media/assign-policy-portal/delete-assignment.png

@@ -11,7 +11,7 @@
 - name: Quickstarts
   expanded: false
   items:
-  - name: Assign a policy - Portal
+  - name: Assign a policy - Azure portal
     displayName: assign, compliance
     href: ./assign-policy-portal.md
   - name: Assign a policy - Azure CLI