Manage Azure policy using the Azure Stack Policy Module

Applies to: Azure Stack integrated systems and Azure Stack Development Kit

The Azure Stack Policy module allows you to configure an Azure subscription with the same versioning and service availability as Azure Stack. The module uses the New-AzureRMPolicyAssignment cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. Once complete, you can use your Azure subscription to develop apps targeted for Azure Stack.

Install the module

  1. Install the required version of the AzureRM PowerShell module, as described in Step1 of Install PowerShell for Azure Stack.
  2. Download the Azure Stack tools from GitHub
  3. Configure PowerShell for use with Azure Stack

  4. Import the AzureStack.Policy.psm1 module:

    Import-Module .\Policy\AzureStack.Policy.psm1
    

Apply policy to subscription

The following command can be used to apply a default Azure Stack policy against your Azure subscription. Before running, replace Azure Subscription Name with your Azure subscription.

$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzureStackRmPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
$rgName = 'AzureStack'
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID

Apply policy to a resource group

You may want to apply policies in a more granular method. As an example, you may have other resources running in the same subscription. You can scope the policy application to a specific resource group, which lets you test your apps for Azure Stack using Azure resources. Before running, replace Azure Subscription Name with your Azure subscription name.

$resourceGroupName = ‘myRG01’
$s = Select-AzureRmSubscription -SubscriptionName "<Azure Subscription Name>"
$policy = New-AzureRmPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzureStackRmPolicy)
New-AzureRmPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName

Policy in action

Once you've deployed the Azure policy, you receive an error when you try to deploy a resource that prohibited by policy.

Result of resource deployment failure because of policy constraint

Next steps

Deploy templates with PowerShell

Deploy templates with Azure CLI

Deploy Templates with Visual Studio