Understand scope in Azure Policy

There are many settings that determine which resources are capable of being evaluated and which resources are evaluated by Azure Policy. The primary concept for these controls is scope. Scope in Azure Policy is based on how scope works in Azure Resource Manager. For a high-level overview, see Scope in Azure Resource Manager. This article explains the importance of scope in Azure Policy and it's related objects and properties.

Definition location

The first instance scope used by Azure Policy is when a policy definition is created. The definition may be saved in either a management group or a subscription. The location determines the scope to which the initiative or policy can be assigned. Resources must be within the resource hierarchy of the definition location to target for assignment.

If the definition location is a:

  • Subscription - Only resources within that subscription can be assigned the policy definition.
  • Management group - Only resources within child management groups and child subscriptions can be assigned the policy definition. If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.

The location should be the resource container shared by all resources you want to use the policy definition on exist. This resource container is typically a management group near the root management group.

Assignment scopes

An assignment has several properties that set a scope. The use of these properties determines which resource for Azure Policy to evaluate and which resources count toward compliance. These properties map to the following concepts:

  • Inclusion - A resource hierarchy or individual resource should be evaluated for compliance by the definition. The properties.scope property on an assignment object determines what to include and evaluate for compliance. For more information, see Assignment definition.

  • Exclusion - A resource hierarchy or individual resource shouldn't be evaluated for compliance by the definition. The properties.notScopes array property on an assignment object determines what to exclude. Resources within these scopes aren't evaluated or included in the compliance count. For more information, see Assignment definition - excluded scopes.

In addition to the properties on the policy assignment, is the policy exemption object. Exemptions enhance the scope story by providing a method to identify a portion of an assignment to not be evaluated.

  • Exemption (free in preview feature) - A resource hierarchy or individual resource should be evaluated for compliance by the definition, but won't be evaluated for a reason such as having a waiver or being mitigated through another method. Resources in this state show as Exempted in compliance reports so that they can be tracked. The exemption object is created on the resource hierarchy or individual resource as a child object, which determines the scope of the exemption. A resource hierarchy or individual resource can be exempt from multiple assignments. The exemption may be configured to expire on a schedule by using the expiresOn property. For more information, see Exemption definition.

    Note

    Due to the impact of granting an exemption for a resource hierarchy or individual resource, exemptions have additional security measures. In addition to requiring the Microsoft.Authorization/policyExemptions/write operation on the resource hierarchy or individual resource, the creator of an exemption must have the exempt/Action verb on the target assignment.

Scope comparison

The following table is a comparison of the scope options:

Inclusion Exclusion (notScopes) Exemption
Resources are evaluated - -
Resource Manager object - -
Requires modifying policy assignment object -

Next steps