NielsKok.Tech

Microsoft 365, Azure (DevOps) and Automation

Azure DevOps Infrastructure as code

Deploy Azure Policy to ManagementGroup with Bicep

ByNiels Kok

Oct 1, 2021 , , , , , , ,

I have tinkered with this for a bit. So, I thought let’s share it with the world. This blog is about how to deploy azure policy to a managementgroup using the Bicep language.

A management group helps you to assign policy’s to multiple azure subscriptions. Furthermore, new subscriptions can easily be added to the existing management groups. As a result, policy’s are assigned automatically to new subscriptions.

Let’s start!

Prerequisites

Optional: Install Visual Studio Code with GIT – Guide for Installation

Azure Powershell Modules – Download link

Powershell 7 (recommended) – Download link

Bicep compiler/modules – Download link

Management Group creation

Firstly, we need to create a management group.

We use powershell to do so. Log on to Azure Powershell with the following code:

Connect-AzAccount

After that, run this piece of code to create the management group

New-AzManagementGroup -GroupName 'Nielskok.tech-Demo' -DisplayName 'Nielskok.tech DEMO'

As as result, this managementgroup is available:

Deploy Azure Policy to ManagementGroup with Bicep - Management group creation

By default, there are no subscriptions assigned to a management group. We assign the subscriptions later in the process.

Policy assigment via Bicep

We use the bicep language to assign an Azure Policy to the management group. The policy which we use is:

‘audit-vm-manageddisks’

This policy checks whether virtual machines uses managed disks. Managed disks are covered by the 99,95% SLA coverage by Microsoft. So, we need to make sure that our virtual machines use these disks.

The syntax of the bicep file looks like this:

targetScope = 'managementGroup'

param policyAssignmentName string = 'audit-vm-manageddisks'
param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'

resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
    name: policyAssignmentName
    scope: managementGroup()
    properties: {
        policyDefinitionId: policyDefinitionID
    }
}
output assignmentId string = assignment.id

Save this file as ‘AzurePolicy.bicep’.

We use the Azure CLI application to deploy this bicep template to Azure. It is fairly simple.

Firstly, use this command to logon with the Azure CLI:

az login

After that, use this command to select the right subscription:

az account set --subscription "YOUR SUBSCRIPTION ID"

Lastly, deploy the bicep template with this code:

az deployment mg create `
 --location westeurope `
 --management-group-id "YOUR MANAGEMENT GROUP NAME/ID" `
 --template-file "YOUR PATH TO YOUR BICEP Template"

This is the result of the template deployment:

Deploy Azure Policy to ManagementGroup with Bicep - Management group assignment

And that is how you deploy Azure Policy to a ManagementGroup with Bicep!

References

Bicep Template for Policy assignment

Other Posts:

Azure Logon Subscription Menu

Snapshot Managed disk to storage account

By Niels Kok

Related Post

Azure Virtual Desktop Infrastructure as code

Set PageFile via CustomScriptExtension and Bicep

Sep 12, 2022 Niels Kok
DevOps Windows 365

Packer YAML Windows 365 Image

Jul 26, 2022 Niels Kok
Azure Azure Virtual Desktop DevOps Infrastructure as code

Use BICEP to add a new version to AzureComputeGallery

Jul 15, 2022 Niels Kok

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

Intune

Deploy SCEP Certificate Connector Intune

May 31, 2023 Niels Kok
Azure Virtual Desktop Powershell Automation

Enable or Disable autoscaling on AVD hostpool with Powershell

Apr 14, 2023 Niels Kok
Intune

Discover specific apps on Intune Windows Devices

Apr 6, 2023 Niels Kok
Intune Powershell Automation

Notification about untagged Autopilot devices

Mar 28, 2023 Niels Kok