You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- An empty or missing value causes policy evaluation to include all namespaces, except those
392
+
- An empty or missing value causes policy evaluation to include all namespaces, except the ones
389
393
defined in _excludedNamespaces_.
390
394
-**excludedNamespaces** (required)
391
395
- An _array_ of
@@ -449,6 +453,70 @@ location of the Constraint template to use in Kubernetes to limit the allowed co
449
453
}
450
454
}
451
455
```
456
+
## DenyAction (preview)
457
+
458
+
`DenyAction` is used to block requests on intended action to resources. The only supported action today is `DELETE`. This effect will help prevent any accidental deletion of critical resources.
459
+
460
+
### DenyAction evaluation
461
+
462
+
When a request call with an applicable action name and targeted scope is submitted, `denyAction` prevents the request from succeeding. The request is returned as a `403 (Forbidden)`. In the portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy
463
+
assignment.
464
+
465
+
`Microsoft.Authorization/policyAssignments`, `Microsoft.Authorization/denyAssignments`, `Microsoft.Blueprint/blueprintAssignments`, `Microsoft.Resources/deploymentStacks`, and `Microsoft.Authorization/locks` are all exempt from DenyAction enforcement to prevent lockout scenarios.
466
+
467
+
> [!NOTE]
468
+
> Under preview, assignments with `denyAction` effect will show a `Not Started` compliance state.
469
+
470
+
#### Subscription deletion
471
+
Policy won't block removal of resources that happens during a subscription deletion.
472
+
473
+
#### Resource group deletion
474
+
Policy will evaluate resources that support location and tags against `DenyAction` policies during a resource group deletion. Only policies that have the `cascadeBehaviors` set to `deny` in the policy rule will block a resource group deletion. Policy won't block removal of resources that don't support location and tags nor any policy with `mode:all`.
475
+
476
+
#### Cascade deletion
477
+
Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child resources. Policy won't block removal of child resources when a delete action targets the parent resources. For example, `Microsoft.Insights/diagnosticSettings` is a child resource of `Microsoft.Storage/storageaccounts`. If a `denyAction` policy targets `Microsoft.Insights/diagnosticSettings`, a delete call to the diagnostic setting (child) will fail, but a delete to the storage account (parent) will implicitly delete the diagnostic setting (child).
The **details** property of the DenyAction effect has all the subproperties that define the action and behaviors.
484
+
485
+
-**actionType** (required)
486
+
- An _array_ that specifies what actions to prevent from being executed.
487
+
- Supported action type is: `delete`.
488
+
-**cascadeBehaviors** (optional)
489
+
- An _object_ that defines what behavior will be followed when the resource is being implicitly deleted by the removal of a resource group.
490
+
- Only supported for `mode:indexed`.
491
+
- Allowed values are `allow` or `deny`.
492
+
- Default value is `deny`.
493
+
494
+
### DenyAction example
495
+
Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.
496
+
497
+
```json
498
+
{
499
+
"if": {
500
+
"allOf": [
501
+
{
502
+
"field": "type",
503
+
"equals": "Microsoft.DocumentDb/accounts"
504
+
},
505
+
{
506
+
"field": "tags.environment",
507
+
"equals": "prod"
508
+
}
509
+
]
510
+
},
511
+
"then": {
512
+
"effect": "DenyAction",
513
+
"details": {
514
+
"actionNames": [ "delete" ],
515
+
"cascadeBehaviors": { "resourceGroup": "deny" }
516
+
}
517
+
}
518
+
}
519
+
```
452
520
453
521
## DeployIfNotExists
454
522
@@ -622,7 +690,7 @@ logs, and the policy effect don't occur. For more information, see
622
690
623
691
## Manual (preview)
624
692
625
-
The new `manual` (preview) effect enables you to self-attest the compliance of resources or scopes. Unlike other policy definitions that actively scan for evaluation, the Manual effect allows for manual changes to the compliance state. To change the compliance of a resource or scope targeted by a manual policy, you'll need to create an [attestation](attestation-structure.md). The [best practice](attestation-structure.md#best-practices) is to design manual policies that target the scope which defines the boundary of resources whose compliance need attesting.
693
+
The new `manual` (preview) effect enables you to self-attest the compliance of resources or scopes. Unlike other policy definitions that actively scan for evaluation, the Manual effect allows for manual changes to the compliance state. To change the compliance of a resource or scope targeted by a manual policy, you'll need to create an [attestation](attestation-structure.md). The [best practice](attestation-structure.md#best-practices) is to design manual policies that target the scope that defines the boundary of resources whose compliance need attesting.
626
694
627
695
> [!NOTE]
628
696
> During Public Preview, support for manual policy is available through various Microsoft Defender
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/evaluate-impact.md
+3-5Lines changed: 3 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,14 +6,13 @@ ms.topic: conceptual
6
6
---
7
7
# Evaluate the impact of a new Azure Policy definition
8
8
9
-
Azure Policy is a powerful tool for managing your Azure resources to business standards and to meet
9
+
Azure Policy is a powerful tool for managing your Azure resources to meet business standards
10
10
compliance needs. When people, processes, or pipelines create or update resources, Azure Policy
11
11
reviews the request. When the policy definition effect is [Modify](./effects.md#modify),
12
12
[Append](./effects.md#deny), or [DeployIfNotExists](./effects.md#deployifnotexists), Policy alters
13
13
the request or adds to it. When the policy definition effect is [Audit](./effects.md#audit) or
14
14
[AuditIfNotExists](./effects.md#auditifnotexists), Policy causes an Activity log entry to be created
15
-
for new and updated resources. And when the policy definition effect is [Deny](./effects.md#deny),
16
-
Policy stops the creation or alteration of the request.
15
+
for new and updated resources. And when the policy definition effect is [Deny](./effects.md#deny) or [DenyAction](./effects.md#denyaction-preview), Policy stops the creation or alteration of the request.
17
16
18
17
These outcomes are exactly as desired when you know the policy is defined correctly. However, it's
19
18
important to validate a new policy works as intended before allowing it to change or block work. The
@@ -110,8 +109,7 @@ setup appropriate
110
109
[Azure Monitor alerts and notifications](../../../azure-monitor/alerts/alerts-overview.md) for
111
110
when non-compliant devices are identified. It's also recommended to evaluate the policy definition
112
111
and related assignments on a scheduled basis to validate the policy definition is meeting business
113
-
policy and compliance needs. Policies should be removed if no longer needed. Policies also need
114
-
updating from time to time as the underlying Azure resources evolve and add new properties and
112
+
policy and compliance needs. Policies should be removed if no longer needed. Policies also need to update from time to time as the underlying Azure resources evolve and add new properties and
Copy file name to clipboardExpand all lines: articles/governance/policy/overview.md
+5-13Lines changed: 5 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ All Azure Policy data and objects are encrypted at rest. For more information, s
36
36
37
37
## Overview
38
38
39
-
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business
39
+
Azure Policy evaluates resources and actions in Azure by comparing the properties of those resources to business
40
40
rules. These business rules, described in [JSON format](./concepts/definition-structure.md), are
41
41
known as [policy definitions](#policy-definition). To simplify management, several business rules
42
42
can be grouped together to form a [policy initiative](#initiative-definition) (sometimes called a
@@ -79,6 +79,7 @@ how an organization wants the platform to respond to a non-compliant resource in
79
79
- Alter the resource before the change
80
80
- Alter the resource after the change
81
81
- Deploy related compliant resources
82
+
- Block actions on resources
82
83
83
84
Azure Policy makes each of these business responses possible through the application of
84
85
[effects](./concepts/effects.md). Effects are set in the **policy rule** portion of the
@@ -104,19 +105,12 @@ on Channel 9.
104
105
### Azure Policy and Azure RBAC
105
106
106
107
There are a few key differences between Azure Policy and Azure role-based access control (Azure
107
-
RBAC). Azure Policy evaluates state by examining properties on resources that are represented in
108
-
Resource Manager and properties of some Resource Providers. Azure Policy doesn't restrict actions
109
-
(also called _operations_). Azure Policy ensures that resource state is compliant to your business
110
-
rules without concern for who made the change or who has permission to make a change. Some Azure
111
-
Policy resources, such as [policy definitions](#policy-definition),
112
-
[initiative definitions](#initiative-definition), and [assignments](#assignments), are visible to
113
-
all users. This design enables transparency to all users and services for what policy rules are set
108
+
RBAC). Azure Policy evaluates state by examining properties on resources that are represented in Resource Manager and properties of some Resource Providers. Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change. Azure Policy through DenyAction effect can also block certain actions on resources. Some Azure Policy resources, such as [policy definitions](#policy-definition), [initiative definitions](#initiative-definition), and [assignments](#assignments), are visible to all users. This design enables transparency to all users and services for what policy rules are set
114
109
in their environment.
115
110
116
111
Azure RBAC focuses on managing user
117
112
[actions](../../role-based-access-control/resource-provider-operations.md) at different scopes. If
118
-
control of an action is required, then Azure RBAC is the correct tool to use. Even if an individual
119
-
has access to perform an action, if the result is a non-compliant resource, Azure Policy still
113
+
control of an action is required based on user information, then Azure RBAC is the correct tool to use. Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still
120
114
blocks the create or update.
121
115
122
116
The combination of Azure RBAC and Azure Policy provides full scope control in Azure.
@@ -185,9 +179,7 @@ settings and objects. To find out more, see
185
179
186
180
Here are a few pointers and tips to keep in mind:
187
181
188
-
- Start with an audit effect instead of a deny effect to track impact of your policy definition on
189
-
the resources in your environment. If you have scripts already in place to autoscale your
190
-
applications, setting a deny effect may hinder such automation tasks already in place.
182
+
- Start with an `audit` or `auditIfNotExist` effect instead of an enforcement (`deny`, `modify`, `deployIfNotExist`) effect to track impact of your policy definition on the resources in your environment. If you have scripts already in place to autoscale your applications, setting an enforcement effect may hinder such automation tasks already in place.
191
183
192
184
- Consider organizational hierarchies when creating definitions and assignments. We recommend
193
185
creating definitions at higher levels such as the management group or subscription level. Then,
This table describes if a resource will be protected from deletion given the resource applicable to the assigned denyAction policy and the targeted scope of the DELETE call. In the context of this table, an indexed resource is one that supports tags and locations and a non-indexed resource is one that doesn't support tags or locations. For more information on indexed and non-indexed resources, reference [definition modes](../articles/governance/policy/concepts/definition-structure.md). Child resources are resources that exist only within the context of another resource. For example, a virtual machines extension resource is a child of the virtual machine, whom is the parent resource.
12
+
13
+
| Entity being deleted| Entity applicable to policy conditions | Action taken |
14
+
|---|---|---|
15
+
| Resource | Resource | Protected |
16
+
| Subscription | Resource | Deleted |
17
+
| Resource group | Indexed resource| Depends on `cascadeBehaviors`|
18
+
| Resource group | Non indexed resource| Deleted |
19
+
| Child resource | Parent resource | Parent is protected; child is deleted |
0 commit comments