Deploy Azure Policy to ManagementGroup with Bicep

by

I have tinkered with this for a bit. So, I thought let’s share it with the world. This blog is about how to deploy azure policy to a managementgroup using the Bicep language.

A management group helps you to assign policy’s to multiple azure subscriptions. Furthermore, new subscriptions can easily be added to the existing management groups. As a result, policy’s are assigned automatically to new subscriptions.

Let’s start!

Prerequisites

Optional: Install Visual Studio Code with GIT – Guide for Installation

Azure Powershell Modules – Download link

Powershell 7 (recommended) – Download link

Bicep compiler/modules – Download link

Management Group creation

Firstly, we need to create a management group.

We use powershell to do so. Log on to Azure Powershell with the following code:

Connect-AzAccount

After that, run this piece of code to create the management group

New-AzManagementGroup -GroupName 'Nielskok.tech-Demo' -DisplayName 'Nielskok.tech DEMO'

As as result, this managementgroup is available:

Deploy Azure Policy to ManagementGroup with Bicep - Management group creation

By default, there are no subscriptions assigned to a management group. We assign the subscriptions later in the process.

Policy assigment via Bicep

We use the bicep language to assign an Azure Policy to the management group. The policy which we use is:

‘audit-vm-manageddisks’

This policy checks whether virtual machines uses managed disks. Managed disks are covered by the 99,95% SLA coverage by Microsoft. So, we need to make sure that our virtual machines use these disks.

The syntax of the bicep file looks like this:

targetScope = 'managementGroup'

param policyAssignmentName string = 'audit-vm-manageddisks'
param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'

resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
    name: policyAssignmentName
    scope: managementGroup()
    properties: {
        policyDefinitionId: policyDefinitionID
    }
}
output assignmentId string = assignment.id

Save this file as ‘AzurePolicy.bicep’.

We use the Azure CLI application to deploy this bicep template to Azure. It is fairly simple.

Firstly, use this command to logon with the Azure CLI:

az login

After that, use this command to select the right subscription:

az account set --subscription "YOUR SUBSCRIPTION ID"

Lastly, deploy the bicep template with this code:

az deployment mg create `
 --location westeurope `
 --management-group-id "YOUR MANAGEMENT GROUP NAME/ID" `
 --template-file "YOUR PATH TO YOUR BICEP Template"

This is the result of the template deployment:

Deploy Azure Policy to ManagementGroup with Bicep - Management group assignment

And that is how you deploy Azure Policy to a ManagementGroup with Bicep!

References

Bicep Template for Policy assignment

Other Posts:

Azure Logon Subscription Menu

Snapshot Managed disk to storage account

Leave a Comment