|
| 1 | +--- |
| 2 | +title: Azure Policy applicability logic |
| 3 | +description: Describes the rules Azure Policy uses to determine whether the policy is applied to its assigned resources. |
| 4 | +ms.date: 09/22/2022 |
| 5 | +ms.topic: conceptual |
| 6 | +ms.author: timwarner |
| 7 | +author: timwarner-msft |
| 8 | +--- |
| 9 | +# What is applicability in Azure Policy? |
| 10 | + |
| 11 | +When a policy definition is assigned to a scope, Azure Policy scans every resource in that scope to determine what should be considered for compliance evaluation. A resource will only be assessed for compliance if it is considered **applicable** to the given policy assignment. |
| 12 | + |
| 13 | +Applicability is determined by several factors: |
| 14 | +- **Conditions** in the `if` block of the [policy rule](../concepts/definition-structure.md#policy-rule). |
| 15 | +- **Mode** of the policy definition. |
| 16 | +- **Excluded scopes** specified in the assignment. |
| 17 | +- **Exemptions** of resources or resource hierarchies. |
| 18 | + |
| 19 | +Condition(s) in the `if` block of the policy rule are evaluated for applicability in slightly different ways based on the effect. |
| 20 | + |
| 21 | +> [!NOTE] |
| 22 | +> Applicability is different from compliance, and the logic used to determine each is different. If a resource is **applicable** that means it is relevant to the policy. If a resource is **compliant** that means it adheres to the policy. Sometimes only certain conditions from the policy rule impact applicability, while all conditions of the policy rule impact compliance state. |
| 23 | +
|
| 24 | +## Applicability logic for Append/Modify/Audit/Deny/DataPlane effects |
| 25 | + |
| 26 | +Azure Policy evaluates only `type`, `name`, and `kind` conditions in the policy rule `if` expression and treats other conditions as true (or false when negated). If the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable. |
| 27 | + |
| 28 | +Following are special cases to the previously described applicability logic: |
| 29 | + |
| 30 | +|Scenario |Result | |
| 31 | +|---------|---------| |
| 32 | +|Any invalid aliases in the `if` conditions |The policy is not applicable | |
| 33 | +|When the `if` conditions consist of only `kind` conditions |The policy is applicable to all resources | |
| 34 | +|When the `if` conditions consist of only `name` conditions |The policy is applicable to all resources | |
| 35 | +|When the `if` conditions consist of only `type` and `kind` or `type` and `name` conditions |Only type conditions are considered when deciding applicability | |
| 36 | +|When any conditions (including deployment parameters) include a `location` condition |Will not be applicable to subscriptions | |
| 37 | + |
| 38 | +## Applicability logic for AuditIfNotExists and DeployIfNotExists policy effects |
| 39 | + |
| 40 | +The applicability of AuditIfNotExists and DeployIfNotExists policies is based off the entire `if` condition of the policy rule. When the `if` evaluates to false, the policy is not applicable. |
| 41 | + |
| 42 | +## Next steps |
| 43 | + |
| 44 | +- Learn how to [Get compliance data of Azure resources](../how-to/get-compliance-data.md). |
| 45 | +- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md). |
| 46 | +- Review the [update in policy compliance for resource type policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/). |
0 commit comments