Apply security and policies to Windows VMs with Azure Resource Manager

By using policies, an organization can enforce various conventions and rules throughout the enterprise. Enforcement of the desired behavior can help mitigate risk while contributing to the success of the organization. In this article, we will describe how you can use Azure Resource Manager policies to define the desired behavior for your organization’s Virtual Machines.

The outline for the steps to accomplish this is as below

  1. Azure Resource Manager Policy 101
  2. Define a policy for your Virtual Machine
  3. Create the policy
  4. Apply the policy

Azure Resource Manager Policy 101

For getting started with Azure Resource Manager policies, we recommend reading the article below and then continuing with the steps in this article. The article below describes the basic definition and structure of a policy, how policies get evaluated and gives various examples of policy definitions.

Define a policy for your Virtual Machine

One of the common scenarios for an enterprise might be to only allow their users to create Virtual Machines from specific operating systems that have been tested to be compatible with a LOB application. Using an Azure Resource Manager policy this task can be accomplished in a few steps. In this policy example, we are going to allow only Windows Server 2012 R2 Datacenter Virtual Machines to be created. The policy definition looks like below

"if": {
  "allOf": [
    {
      "field": "type",
      "equals": "Microsoft.Compute/virtualMachines"
    },
    {
      "not": {
        "allOf": [
          {
            "field": "Microsoft.Compute/virtualMachines/imagePublisher",
            "equals": "MicrosoftWindowsServer"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/imageOffer",
            "equals": "WindowsServer"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/imageSku",
            "equals": "2012-R2-Datacenter"
          }
        ]
      }
    }
  ]
},
"then": {
  "effect": "deny"
}

The above policy can easily be modified to a scenario where you might want to allow any Windows Server Datacenter image to be used for a Virtual Machine deployment with the below change

{
  "field": "Microsoft.Compute/virtualMachines/imageSku",
  "like": "*Datacenter"
}

Virtual Machine Property Fields

The table below describes the Virtual Machine properties that can be used as fields in your policy definition. For more on policy fields, see the article below:

Field Name Description
imagePublisher Specifies the publisher of the image
imageOffer Specifies the offer for the chosen image publisher
imageSku Specifies the SKU for the chosen offer
imageVersion Specifies the image version for the chosen SKU

Create the Policy

A policy can easily be created using the REST API directly or the PowerShell cmdlets. For creating the policy, see the article below:

Apply the Policy

After creating the policy you’ll need to apply it on a defined scope. The scope can be a subscription, resource group or even the resource. For applying the policy, see the article below: