Quickstart: Create a policy assignment to identify non-compliant resources by using an ARM template

The first step in understanding compliance in Azure is to identify the status of your resources. This quickstart steps you through the process of using an Azure Resource Manager template (ARM template) to create a policy assignment to identify virtual machines that aren't using managed disks. At the end of this process, you'll successfully identify virtual machines that aren't using managed disks. They're non-compliant with the policy assignment.

An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Button to deploy the ARM template for assigning an Azure Policy to Azure.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Review the template

In this quickstart, you create a policy assignment and assign a built-in policy definition called Audit VMs that do not use managed disks. For a partial list of available built-in policies, see Azure Policy samples.

The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "policyAssignmentName": {
      "type": "string",
      "defaultValue": "[guid(parameters('policyDefinitionID'), resourceGroup().name)]",
      "metadata": {
        "description": "Specifies the name of the policy assignment, can be used defined or an idempotent name as the defaultValue provides."
      }
    },
    "policyDefinitionID": {
      "type": "string",
      "metadata": {
        "description": "Specifies the ID of the policy definition or policy set definition being assigned."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "name": "[parameters('policyAssignmentName')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]",
        "policyDefinitionId": "[parameters('policyDefinitionID')]"
      }
    }
  ]
}

The resource defined in the template is:

Deploy the template

Note

Azure Policy service is free. For more information, see Overview of Azure Policy.

  1. Select the following image to sign in to the Azure portal and open the template:

    Button to deploy the ARM template for assigning an Azure Policy to Azure.

  2. Select or enter the following values:

    Name Value
    Subscription Select your Azure subscription.
    Resource group Select Create new, specify a name, and then select OK. In the screenshot, the resource group name is mypolicyquickstart<Date in MMDD>rg.
    Location Select a region. For example, Central US.
    Policy Assignment Name Specify a policy assignment name. You can use the policy definition display if you want. For example, Audit VMs that do not use managed disks.
    Rg Name Specify a resource group name where you want to assign the policy to. In this quickstart, use the default value [resourceGroup().name]. resourceGroup() is a template function that retrieves the resource group.
    Policy Definition ID Specify /providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a.
    I agree to the terms and conditions stated above (Select)
  3. Select Purchase.

Some additional resources:

Validate the deployment

Select Compliance in the left side of the page. Then locate the Audit VMs that do not use managed disks policy assignment you created.

Screenshot of compliance details on the Policy Compliance page.

If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources.

For more information, see How compliance works.

Clean up resources

To remove the assignment created, follow these steps:

  1. Select Compliance (or Assignments) in the left side of the Azure Policy page and locate the Audit VMs that do not use managed disks policy assignment you created.

  2. Right-click the Audit VMs that do not use managed disks policy assignment and select Delete assignment.

    Screenshot of using the context menu to delete an assignment from the Compliance page.

Next steps

In this quickstart, you assigned a built-in policy definition to a scope and evaluated its compliance report. The policy definition validates that all the resources in the scope are compliant and identifies which ones aren't.

To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: