|
| 1 | +--- |
| 2 | +title: Deploy Azure Policy to delegated subscriptions at scale |
| 3 | +description: Learn how Azure delegated resource management lets you deploy a policy definition and policy assignment across multiple tenants. |
| 4 | +author: JnHs |
| 5 | +ms.author: jenhayes |
| 6 | +ms.service: lighthouse |
| 7 | +ms.date: 11/8/2019 |
| 8 | +ms.topic: overview |
| 9 | +manager: carmonm |
| 10 | +--- |
| 11 | + |
| 12 | +# Deploy Azure Policy to delegated subscriptions at scale |
| 13 | + |
| 14 | +As a service provider, you may have onboarded multiple customer tenants for Azure delegated resource management. Azure Lighthouse allows service providers to perform operations at scale across several tenants at once, making management tasks more efficient. |
| 15 | + |
| 16 | +This topic shows you how to use [Azure Policy](https://docs.microsoft.com/azure/governance/policy/) to deploy a policy definition and policy assignment across multiple tenants using PowerShell commands. In this example, the policy definition ensures that storage accounts are secured by allowing only HTTPS traffic. |
| 17 | + |
| 18 | +## Use Azure Resource Graph to query across customer tenants |
| 19 | + |
| 20 | +You can use [Azure Resource Graph](https://docs.microsoft.com/azure/governance/resource-graph/) to query across all subscriptions in the customer tenants that you manage. In this example, we’ll identify any storage accounts in these subscriptions that do not currently require HTTPS traffic. |
| 21 | + |
| 22 | +```powershell |
| 23 | +$MspTenant = "insert your managing tenantId here" |
| 24 | +
|
| 25 | +$subs = Get-AzSubscription |
| 26 | +
|
| 27 | +$ManagedSubscriptions = Search-AzGraph -Query "ResourceContainers | where type == 'microsoft.resources/subscriptions' | where tenantId != '$($mspTenant)' | project name, subscriptionId, tenantId" -subscription $subs.subscriptionId |
| 28 | +
|
| 29 | +Search-AzGraph -Query "Resources | where type =~ 'Microsoft.Storage/storageAccounts' | project name, location, subscriptionId, tenantId, properties.supportsHttpsTrafficOnly" -subscription $ManagedSubscriptions.subscriptionId | convertto-json |
| 30 | +``` |
| 31 | + |
| 32 | +## Deploy a policy across multiple customer tenants |
| 33 | + |
| 34 | +The example below shows how to use an [Azure Resource Manager template](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/Azure-Delegated-Resource-Management/templates/policy-enforce-https-storage/enforceHttpsStorage.json) to deploy a policy definition and policy assignment across delegated subscriptions in multiple customer tenants. This policy definition requires all storage accounts to use HTTPS traffic, preventing the creation of any new storage accounts that don’t comply and marking existing storage accounts without the setting as non-compliant. |
| 35 | + |
| 36 | +```powershell |
| 37 | +Write-Output "In total, there are $($ManagedSubscriptions.Count) delegated customer subscriptions to be managed" |
| 38 | +
|
| 39 | +foreach ($ManagedSub in $ManagedSubscriptions) |
| 40 | +{ |
| 41 | + Select-AzSubscription -SubscriptionId $ManagedSub.subscriptionId |
| 42 | +
|
| 43 | + New-AzDeployment -Name mgmt ` |
| 44 | + -Location eastus ` |
| 45 | + -TemplateUri "https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/policy-enforce-https-storage/enforceHttpsStorage.json" ` |
| 46 | + -AsJob |
| 47 | +} |
| 48 | +``` |
| 49 | + |
| 50 | +## Validate the policy deployment |
| 51 | + |
| 52 | +After you’ve deployed the Azure Resource Manager template, you can confirm that the policy definition was successfully applied by attempting to create a storage account with **EnableHttpsTrafficOnly** set to **false** in one of your delegated subscriptions. Because of the policy assignment, you should be unable to create this storage account. |
| 53 | + |
| 54 | +```powershell |
| 55 | +New-AzStorageAccount -ResourceGroupName (New-AzResourceGroup -name policy-test -Location eastus -Force).ResourceGroupName ` |
| 56 | + -Name (get-random) ` |
| 57 | + -Location eastus ` |
| 58 | + -EnableHttpsTrafficOnly $false ` |
| 59 | + -SkuName Standard_LRS ` |
| 60 | + -Verbose |
| 61 | +``` |
| 62 | + |
| 63 | +## Clean up resources |
| 64 | + |
| 65 | +When you’re finished, remove the policy definition and assignment created by the deployment. |
| 66 | + |
| 67 | +```powershell |
| 68 | +foreach ($ManagedSub in $ManagedSubscriptions) |
| 69 | +{ |
| 70 | + select-azsubscription -subscriptionId $ManagedSub.subscriptionId |
| 71 | +
|
| 72 | + Remove-AzDeployment -Name mgmt -AsJob |
| 73 | +
|
| 74 | + $Assignment = Get-AzPolicyAssignment | where-object {$_.Name -like "enforce-https-storage-assignment"} |
| 75 | +
|
| 76 | + if ([string]::IsNullOrEmpty($Assignment)) |
| 77 | + { |
| 78 | + Write-Output "Nothing to clean up - we're done" |
| 79 | + } |
| 80 | + else |
| 81 | + { |
| 82 | +
|
| 83 | + Remove-AzPolicyAssignment -Name 'enforce-https-storage-assignment' -Scope "/subscriptions/$($ManagedSub.subscriptionId)" -Verbose |
| 84 | +
|
| 85 | + Write-Output "Deployment has been deleted - we're done" |
| 86 | + } |
| 87 | +} |
| 88 | +``` |
| 89 | + |
| 90 | +## Next steps |
| 91 | + |
| 92 | +- Learn about [Azure Policy](https://docs.microsoft.com/azure/governance/policy/). |
| 93 | +- Learn about [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md). |
0 commit comments