Manage Azure policy using the Azure Stack Policy Module

Applies to: Azure Stack integrated systems and Azure Stack Development Kit

The Azure Stack Policy module allows you to configure an Azure subscription with the same versioning and service availability as Azure Stack. The module uses the New-AzureRMPolicyAssignment cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. After configuring the policy, you can use your Azure subscription to develop apps targeted for Azure Stack.

Install the module

  1. Install the required version of the AzureRM PowerShell module, as described in Step1 of Install PowerShell for Azure Stack.
  2. Download the Azure Stack tools from GitHub
  3. Configure PowerShell for use with Azure Stack

  4. Import the AzureStack.Policy.psm1 module:

    Import-Module .\Policy\AzureStack.Policy.psm1
    

Apply policy to Azure subscription

You can use the following command to apply a default Azure Stack policy against your Azure subscription. Before running this command, replace Azure Subscription Name with your Azure subscription.

Add-AzureRmAccount
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID

Apply policy to a resource group

You may want to apply policies that are more granular. As an example, you might have other resources running in the same subscription. You can scope the policy application to a specific resource group, which lets you test your apps for Azure Stack using Azure resources. Before running the following command, replace Azure Subscription Name with your Azure subscription name.

Add-AzureRmAccount
$rgName = 'myRG01'
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName

Policy in action

Once you've deployed the Azure policy, you receive an error when you try to deploy a resource that prohibited by policy.

Result of resource deployment failure because of policy constraint

Next steps