I have tinkered with this for a bit. So, I thought let’s share it with the world. This blog is about how to deploy azure policy to a managementgroup using the Bicep language.
A management group helps you to assign policy’s to multiple azure subscriptions. Furthermore, new subscriptions can easily be added to the existing management groups. As a result, policy’s are assigned automatically to new subscriptions.
Let’s start!
Prerequisites
Optional: Install Visual Studio Code with GIT – Guide for Installation
Azure Powershell Modules – Download link
Powershell 7 (recommended) – Download link
Bicep compiler/modules – Download link
Management Group creation
Firstly, we need to create a management group.
We use powershell to do so. Log on to Azure Powershell with the following code:
Connect-AzAccount
After that, run this piece of code to create the management group
New-AzManagementGroup -GroupName 'Nielskok.tech-Demo' -DisplayName 'Nielskok.tech DEMO'
As as result, this managementgroup is available:

By default, there are no subscriptions assigned to a management group. We assign the subscriptions later in the process.
Policy assigment via Bicep
We use the bicep language to assign an Azure Policy to the management group. The policy which we use is:
‘audit-vm-manageddisks’
This policy checks whether virtual machines uses managed disks. Managed disks are covered by the 99,95% SLA coverage by Microsoft. So, we need to make sure that our virtual machines use these disks.
The syntax of the bicep file looks like this:
targetScope = 'managementGroup' param policyAssignmentName string = 'audit-vm-manageddisks' param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' resource assignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { name: policyAssignmentName scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID } } output assignmentId string = assignment.id
Save this file as ‘AzurePolicy.bicep’.
We use the Azure CLI application to deploy this bicep template to Azure. It is fairly simple.
Firstly, use this command to logon with the Azure CLI:
az login
After that, use this command to select the right subscription:
az account set --subscription "YOUR SUBSCRIPTION ID"
Lastly, deploy the bicep template with this code:
az deployment mg create ` --location westeurope ` --management-group-id "YOUR MANAGEMENT GROUP NAME/ID" ` --template-file "YOUR PATH TO YOUR BICEP Template"
This is the result of the template deployment:

And that is how you deploy Azure Policy to a ManagementGroup with Bicep!
References
Bicep Template for Policy assignment
Other Posts:
Azure Logon Subscription Menu
Snapshot Managed disk to storage account