Skip to content

Commit e99befb

Browse files
authored
Merge pull request #198833 from timwarner-msft/timwarner/applicability
Add Azure Policy applicability article
2 parents 594a8f7 + c30aaf5 commit e99befb

File tree

2 files changed

+49
-0
lines changed

2 files changed

+49
-0
lines changed
Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
---
2+
title: Azure Policy applicability logic
3+
description: Describes the rules Azure Policy uses to determine whether the policy is applied to its assigned resources.
4+
ms.date: 09/22/2022
5+
ms.topic: conceptual
6+
ms.author: timwarner
7+
author: timwarner-msft
8+
---
9+
# What is applicability in Azure Policy?
10+
11+
When a policy definition is assigned to a scope, Azure Policy scans every resource in that scope to determine what should be considered for compliance evaluation. A resource will only be assessed for compliance if it is considered **applicable** to the given policy assignment.
12+
13+
Applicability is determined by several factors:
14+
- **Conditions** in the `if` block of the [policy rule](../concepts/definition-structure.md#policy-rule).
15+
- **Mode** of the policy definition.
16+
- **Excluded scopes** specified in the assignment.
17+
- **Exemptions** of resources or resource hierarchies.
18+
19+
Condition(s) in the `if` block of the policy rule are evaluated for applicability in slightly different ways based on the effect.
20+
21+
> [!NOTE]
22+
> Applicability is different from compliance, and the logic used to determine each is different. If a resource is **applicable** that means it is relevant to the policy. If a resource is **compliant** that means it adheres to the policy. Sometimes only certain conditions from the policy rule impact applicability, while all conditions of the policy rule impact compliance state.
23+
24+
## Applicability logic for Append/Modify/Audit/Deny/DataPlane effects
25+
26+
Azure Policy evaluates only `type`, `name`, and `kind` conditions in the policy rule `if` expression and treats other conditions as true (or false when negated). If the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable.
27+
28+
Following are special cases to the previously described applicability logic:
29+
30+
|Scenario |Result |
31+
|---------|---------|
32+
|Any invalid aliases in the `if` conditions |The policy is not applicable |
33+
|When the `if` conditions consist of only `kind` conditions |The policy is applicable to all resources |
34+
|When the `if` conditions consist of only `name` conditions |The policy is applicable to all resources |
35+
|When the `if` conditions consist of only `type` and `kind` or `type` and `name` conditions |Only type conditions are considered when deciding applicability |
36+
|When any conditions (including deployment parameters) include a `location` condition |Will not be applicable to subscriptions |
37+
38+
## Applicability logic for AuditIfNotExists and DeployIfNotExists policy effects
39+
40+
The applicability of AuditIfNotExists and DeployIfNotExists policies is based off the entire `if` condition of the policy rule. When the `if` evaluates to false, the policy is not applicable.
41+
42+
## Next steps
43+
44+
- Learn how to [Get compliance data of Azure resources](../how-to/get-compliance-data.md).
45+
- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
46+
- Review the [update in policy compliance for resource type policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/).

articles/governance/policy/toc.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,9 @@
193193
- name: Assignment structure
194194
displayName: parameters, enforcementmode, policyDefinitionId
195195
href: ./concepts/assignment-structure.md
196+
- name: Policy applicability
197+
displayName: policy, applicability, scope
198+
href: ./concepts/policy-applicability.md
196199
- name: React to policy state change events
197200
displayName: event grid, subject, topic, subscription
198201
href: ./concepts/event-overview.md

0 commit comments

Comments
 (0)