您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:创建和管理策略以强制实施符合性Tutorial: Create and manage policies to enforce compliance

了解如何在 Azure 中创建和管理策略对于保持与公司标准和服务级别协议的符合性来说非常重要。Understanding how to create and manage policies in Azure is important for staying compliant with your corporate standards and service level agreements. 本教程介绍如何使用 Azure Policy 来执行某些与在组织中创建、分配和管理策略相关的常见任务,例如:In this tutorial, you learn to use Azure Policy to do some of the more common tasks related to creating, assigning, and managing policies across your organization, such as:

  • 分配策略,对将来创建的资源强制执行条件Assign a policy to enforce a condition for resources you create in the future
  • 创建并分配计划定义,跟踪多个资源的符合性Create and assign an initiative definition to track compliance for multiple resources
  • 解决不符合或遭拒绝的资源Resolve a non-compliant or denied resource
  • 在组织中实施新策略Implement a new policy across an organization

若要分配一个策略用于识别现有资源的当前符合性状态,请参阅快速入门文章。If you would like to assign a policy to identify the current compliance state of your existing resources, the quickstart articles go over how to do so. 如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

分配策略Assign a policy

使用 Azure Policy 强制实施符合性的第一步是分配策略定义。The first step in enforcing compliance with Azure Policy is to assign a policy definition. 策略定义用于定义实施策略的条件,以及要达到的效果。A policy definition defines under what condition a policy is enforced and what effect to take. 在本示例中,我们将分配名为“需要 SQL Server 版本 12.0” 的内置策略定义,强制执行“所有 SQL Server 数据库都必须是 v12.0 才视为符合”的条件。In this example, assign a built-in policy definition, called Require SQL Server version 12.0, to enforce the condition that all SQL Server databases must be v12.0 to be compliant.

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

    在所有服务中搜索策略

  2. 选择“Azure Policy”页左侧的“分配” 。Select Assignments on the left side of the Azure Policy page. 分配即为在特定范围内分配策略以供执行。An assignment is a policy that has been assigned to take place within a specific scope.

    从“策略概述”页选择“分配”

  3. 在“策略 - 分配”页的顶部选择“分配策略” 。Select Assign Policy from the top of the Policy - Assignments page.

    从“分配”页分配策略

  4. 在“分配策略”页上,通过单击省略号并选择管理组或订阅,选择“范围” 。On the Assign Policy page, select the Scope by clicking the ellipsis and selecting either a management group or subscription. 或者,请选择一个资源组。Optionally, select a resource group. 范围用于确定对其强制执行策略分配的资源或资源组。A scope determines what resources or grouping of resources the policy assignment gets enforced on. 然后在“范围”页的底部单击“选择”。 Then click Select at the bottom of the Scope page.

    此示例使用 Contoso 订阅 。This example uses the Contoso subscription. 你的订阅将有所不同。Your subscription will differ.

  5. 可基于“范围”排除资源 。Resources can be excluded based on the Scope. “排除”从低于“范围”级别的一个级别开始 。Exclusions start at one level lower than the level of the Scope. “排除”是可选的,因此暂时将其留空 。Exclusions are optional, so leave it blank for now.

  6. 选择“策略定义”旁边的省略号打开可用定义的列表。 Select the Policy definition ellipsis to open the list of available definitions. 可以使用“内置”来筛选策略定义的类型,以查看所有相关策略定义及其说明。 You can filter the policy definition Type to Built-in to view all and read their descriptions.

  7. 选择“需要 SQL Server 版本 12.0” 。Select Require SQL Server version 12.0. 如果不能立即找到它,请在搜索框中键入“需要 SQL Server”,然后按 ENTER 或者单击搜索框的外部。 If you can't find it right away, type require sql server into the search box and then press ENTER or click out of the search box. 找到并选择策略定义后,单击“可用定义”页底部的“选择”。 Click Select at the bottom of the Available Definitions page once you have found and selected the policy definition.

    使用搜索筛选器来查找策略

  8. “分配名称”中自动填充了所选的策略名称,但可以更改它。 The Assignment name is automatically populated with the policy name you selected, but you can change it. 对于本示例,请保留“需要 SQL Server 版本 12.0” 。For this example, leave Require SQL Server version 12.0. 还可根据需要添加“说明” 。You can also add an optional Description. 该说明提供有关此策略分配的详细信息。The description provides details about this policy assignment. 系统会根据登录的用户自动填充“分配者”。 Assigned by is automatically filled based on who is logged in. 此字段是可选字段,因此可输入自定义值。This field is optional, so custom values can be entered.

  9. 不选中“创建托管标识” 。Leave Create a Managed Identity unchecked. 当分配的策略或计划包含具有 deployIfNotExists 效果的策略时,必须勾选此框 。This box must be checked when the policy or initiative being assigned includes a policy with the deployIfNotExists effect. 本教程所使用的策略不属于这种情况,因此请将其留空。As the policy used for this tutorial doesn't, leave it blank. 有关详细信息,请参阅托管标识修正安全性工作原理For more information, see managed identities and how remediation security works.

  10. 单击“分配” 。Click Assign.

实施新的自定义策略Implement a new custom policy

分配内置的策略定义后,可以使用 Azure Policy 执行其他操作。Now that you've assigned a built-in policy definition, you can do more with Azure Policy. 接下来创建一个新的自定义策略,确保在环境中创建的 VM 不能处于 G 系列,以便节省成本。Next, create a new custom policy to save costs by validating that VMs created in your environment can't be in the G series. 这样,当组织中的用户每次尝试创建 G 系列的 VM 时,请求将被拒绝。This way, every time a user in your organization tries to create VM in the G series, the request is denied.

  1. 选择“Azure Policy”页左侧“创作”下的“定义” 。Select Definitions under Authoring in the left side of the Azure Policy page.

    “创作”组下的定义页

  2. 选择页面顶部的“+ 策略定义”。 Select + Policy definition at the top of the page. 此按钮会打开“策略定义”页。 This button opens to the Policy definition page.

  3. 输入以下信息:Enter the following information:

    • 策略定义保存到的管理组或订阅。The management group or subscription in which the policy definition is saved. 使用“定义位置”旁边的省略号进行选择。 Select by using the ellipsis on Definition location.

      备注

      若要将此策略定义应用到多个订阅,则位置必须是策略要分配到的订阅所在的管理组。If you plan to apply this policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to. 对于计划定义,也需要确保这一点。The same is true for an initiative definition.

    • 策略定义的名称 - 需要 VM SKU 小于 G 系列 The name of the policy definition - Require VM SKUs smaller than the G series

    • 想通过策略定义实现的操作的说明 - 此策略定义强制此范围中创建的所有 VM 具有的 SKU 都小于 G 系列,以减少成本。 The description of what the policy definition is intended to do – This policy definition enforces that all VMs created in this scope have SKUs smaller than the G series to reduce cost.

    • 从现有的选项(例如“计算” )中选择,或者为此策略定义创建新的类别。Choose from existing options (such as Compute), or create a new category for this policy definition.

    • 复制以下 JSON 代码并根据需要进行更新:Copy the following JSON code and then update it for your needs with:

      • 策略参数。The policy parameters.
      • 策略规则/条件,此示例中为 - VM SKU 大小等于 G 系列The policy rules/conditions, in this case – VM SKU size equal to G series
      • 策略效果,此示例中为“拒绝” 。The policy effect, in this case – Deny.

    JSON 应如下所示。Here's what the JSON should look like. 将修改后的代码粘贴到 Azure 门户。Paste your revised code into the Azure portal.

    {
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Compute/virtualMachines"
                    },
                    {
                        "field": "Microsoft.Compute/virtualMachines/sku.name",
                        "like": "Standard_G*"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    }
    

    策略规则中的 field 属性必须采用以下值之一:Name、Type、Location、Tags 或某个别名。The field property in the policy rule must be one of the following values: Name, Type, Location, Tags, or an alias. 例如,别名为 "Microsoft.Compute/VirtualMachines/Size"An example of an alias might be "Microsoft.Compute/VirtualMachines/Size".

    若要查看其他 Azure Policy 示例,请参阅 Azure Policy 示例To view more Azure policy samples, see Azure Policy samples.

  4. 选择“保存”。 Select Save.

使用 REST API 创建策略定义Create a policy definition with REST API

可通过适用于 Azure Policy 定义的 REST API 来创建策略。You can create a policy with the REST API for Azure Policy Definitions. 借助 REST API,可创建和删除策略定义,以及获取现有定义的相关信息。The REST API enables you to create and delete policy definitions, and get information about existing definitions. 若要创建策略定义,请使用以下示例:To create a policy definition, use the following example:

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.authorization/policydefinitions/{policyDefinitionName}?api-version={api-version}

包括类似于下方示例的请求正文:Include a request body similar to the following example:

{
    "properties": {
        "parameters": {
            "allowedLocations": {
                "type": "array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                }
            }
        },
        "displayName": "Allowed locations",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
        "policyRule": {
            "if": {
                "not": {
                    "field": "location",
                    "in": "[parameters('allowedLocations')]"
                }
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

使用 PowerShell 创建策略定义Create a policy definition with PowerShell

在继续完成 PowerShell 示例之前,请确保已安装最新版本的 Azure PowerShell Az 模块。Before proceeding with the PowerShell example, make sure you've installed the latest version of the Azure PowerShell Az module.

可使用 New-AzPolicyDefinition cmdlet 创建策略定义。You can create a policy definition using the New-AzPolicyDefinition cmdlet.

要在文件中创建策略定义,请将路径传递给该文件。To create a policy definition from a file, pass the path to the file. 对于外部文件,请使用以下示例:For an external file, use the following example:

$definition = New-AzPolicyDefinition `
    -Name 'denyCoolTiering' `
    -DisplayName 'Deny cool access tiering for storage' `
    -Policy 'https://raw.githubusercontent.com/Azure/azure-policy-samples/master/samples/Storage/storage-account-access-tier/azurepolicy.rules.json'

对于本地文件,请使用以下示例:For a local file use, use the following example:

$definition = New-AzPolicyDefinition `
    -Name 'denyCoolTiering' `
    -Description 'Deny cool access tiering for storage' `
    -Policy 'c:\policies\coolAccessTier.json'

要使用内联规则创建策略定义,请使用以下示例:To create a policy definition with an inline rule, use the following example:

$definition = New-AzPolicyDefinition -Name 'denyCoolTiering' -Description 'Deny cool access tiering for storage' -Policy '{
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
            },
            {
                "field": "kind",
                "equals": "BlobStorage"
            },
            {
                "field": "Microsoft.Storage/storageAccounts/accessTier",
                "equals": "cool"
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}'

输出存储在 $definition 对象中,这会在策略分配过程中使用。The output is stored in a $definition object, which is used during policy assignment. 以下示例创建包含参数的策略定义:The following example creates a policy definition that includes parameters:

$policy = '{
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
            },
            {
                "not": {
                    "field": "location",
                    "in": "[parameters(''allowedLocations'')]"
                }
            }
        ]
    },
    "then": {
        "effect": "Deny"
    }
}'

$parameters = '{
    "allowedLocations": {
        "type": "array",
        "metadata": {
            "description": "The list of locations that can be specified when deploying storage accounts.",
            "strongType": "location",
            "displayName": "Allowed locations"
        }
    }
}'

$definition = New-AzPolicyDefinition -Name 'storageLocations' -Description 'Policy to specify locations for storage accounts.' -Policy $policy -Parameter $parameters

使用 PowerShell 查看策略定义View policy definitions with PowerShell

若要查看订阅中的所有策略定义,请运行以下命令:To see all policy definitions in your subscription, use the following command:

Get-AzPolicyDefinition

此命令可返回所有可用的策略定义,包括内置策略。It returns all available policy definitions, including built-in policies. 返回的每个策略的格式如下:Each policy is returned in the following format:

Name               : e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceId         : /providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceName       : e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceType       : Microsoft.Authorization/policyDefinitions
Properties         : @{displayName=Allowed locations; policyType=BuiltIn; description=This policy enables you to
                     restrict the locations your organization can specify when deploying resources. Use to enforce
                     your geo-compliance requirements.; parameters=; policyRule=}
PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c

使用 Azure CLI 创建策略定义Create a policy definition with Azure CLI

可以将 Azure CLI 与策略定义命令结合使用来创建策略定义。You can create a policy definition using Azure CLI with the policy definition command. 要使用内联规则创建策略定义,请使用以下示例:To create a policy definition with an inline rule, use the following example:

az policy definition create --name 'denyCoolTiering' --description 'Deny cool access tiering for storage' --rules '{
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
            },
            {
                "field": "kind",
                "equals": "BlobStorage"
            },
            {
                "field": "Microsoft.Storage/storageAccounts/accessTier",
                "equals": "cool"
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}'

使用 Azure CLI 查看策略定义View policy definitions with Azure CLI

若要查看订阅中的所有策略定义,请运行以下命令:To see all policy definitions in your subscription, use the following command:

az policy definition list

此命令可返回所有可用的策略定义,包括内置策略。It returns all available policy definitions, including built-in policies. 返回的每个策略的格式如下:Each policy is returned in the following format:

{
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
    "displayName": "Allowed locations",
    "id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
    "name": "e56962a6-4747-49cd-b67b-bf8b01975c4c",
    "policyRule": {
        "if": {
            "not": {
                "field": "location",
                "in": "[parameters('listOfAllowedLocations')]"
            }
        },
        "then": {
            "effect": "Deny"
        }
    },
    "policyType": "BuiltIn"
}

创建并分配计划定义Create and assign an initiative definition

通过计划定义,可以组合某些策略定义以实现首要目标。With an initiative definition, you can group several policy definitions to achieve one overarching goal. 计划对分配范围内的资源进行评估,以确定其是否符合所包括的策略。An initiative evaluates resources within scope of the assignment for compliance to the included policies. 有关计划定义的详细信息,请参阅 Azure Policy 概述For more information about initiative definitions, see Azure Policy overview.

创建计划定义Create an initiative definition

  1. 选择“Azure Policy”页左侧“创作”下的“定义” 。Select Definitions under Authoring in the left side of the Azure Policy page.

    从“定义”页选择定义

  2. 选择页面顶部的“+ 计划定义”打开“计划定义”页。 Select + Initiative Definition at the top of the page to open the Initiative definition page.

    查看计划定义页

  3. 使用“定义位置”旁边的省略号选择用于存储定义的管理组或订阅。 Use the Definition location ellipsis to select a management group or subscription to store the definition. 如果上一页范围仅限于单个管理组或订阅,将自动填充“定义位置” 。If the previous page was scoped to a single management group or subscription, Definition location is automatically populated.

  4. 输入计划的“名称”和“说明”。 Enter the Name and Description of the initiative.

    此示例验证资源是否符合有关保证安全的策略定义。This example validates that resources are in compliance with policy definitions about getting secure. 将计划命名为“保证安全”,并将说明设置为: 创建此计划的目的是处理所有与保护资源相关的策略定义Name the initiative Get Secure and set the description as: This initiative has been created to handle all policy definitions associated with securing resources.

  5. 对于“类别”,请从现有的选项中选择,或者创建新类别。 For Category, choose from existing options or create a new category.

  6. 浏览“可用定义”的列表(在“计划定义”页的右半部分),然后选择要添加到此计划的策略定义。 Browse through the list of Available Definitions (right half of Initiative definition page) and select the policy definition(s) you would like to add to this initiative. 对于“保证安全”计划,请单击策略定义信息旁边的 + ,或单击策略定义行并选择详细信息页中的“+ 添加”选项,来添加以下内置策略定义: For the Get secure initiative, add the following built-in policy definitions by clicking the + next to the policy definition information or clicking a policy definition row and then the + Add option in the details page:

    • 需要 SQL Server 版本 12.0Require SQL Server version 12.0
    • [Preview]: Monitor unprotected web applications in Security Center.
    • [Preview]: Monitor permissive network across in Security Center.
    • [Preview]: Monitor possible app Whitelisting in Security Center.
    • [Preview]: Monitor unencrypted VM Disks in Security Center.

    从列表中选择策略定义后,该策略定义会添加到“策略和参数”的下面 。After selecting the policy definition from the list, it's added under Policies and Parameters.

    查看计划定义参数

  7. 如果要添加到计划的策略定义有参数,则这些参数会显示在“策略和参数”区域的策略名称下 。If a policy definition being added to the initiative has parameters, they're shown under the policy name in the Policies and Parameters area. value 可以设置为“设置值”(针对此计划的所有分配进行硬编码)或“使用计划参数”(在每个计划分配期间设置)。The value can be set to either 'Set value' (hard coded for all assignments of this initiative) or 'Use Initiative Parameter' (set during each initiative assignment). 如果选择了“设置值”,则“值” 右侧的下拉列表允许输入或选择值。If 'Set value' is selected, the drop-down to the right of Values allows entering or selecting the value(s). 如果选择了“使用计划参数”,则会显示新的“计划参数”部分,用于定义将要在计划分配期间设置的参数 。If 'Use Initiative Parameter' is selected, a new Initiative parameters section is displayed allowing you to define the parameter that is set during initiative assignment. 此计划参数的允许值可能会进一步限制能够在计划分配期间设置的内容。The allowed values on this initiative parameter can further restrict what may be set during initiative assignment.

    更改允许的值中的计划定义参数

    备注

    在使用某些 strongType 参数时,不能自动确定值的列表。In the case of some strongType parameters, the list of values cannot be automatically determined. 在这种情况下,会在参数行的右侧显示省略号。In these cases, an ellipsis appears to the right of the parameter row. 单击它会打开“参数范围(<参数名称>)”页。Clicking it opens the 'Parameter scope (<parameter name>)' page. 在此页中,选择用于提供值选项的订阅。On this page, select the subscription to use for providing the value options. 此参数范围仅在创建计划定义过程中使用,对策略评估或分配后的计划范围没有影响。This parameter scope is only used during creation of the initiative definition and has no impact on policy evaluation or the scope of the initiative when assigned.

  8. 单击“ 保存”。Click Save.

分配计划定义Assign an initiative definition

  1. 选择“Azure Policy”页左侧“创作”下的“定义” 。Select Definitions under Authoring in the left side of the Azure Policy page.

  2. 找到前面创建的“保证安全”计划定义并单击它 。Locate the Get Secure initiative definition you previously created and click it. 选择页面顶部的“分配”,打开“保证安全: 分配计划”页。Select Assign at the top of the page to open to the Get Secure: Assign initiative page.

    从计划定义页分配定义

    也可右键单击选定的行,或者左键单击上下文菜单行末尾处的省略号。You can also right-click on the selected row or left-click on the ellipsis at the end of the row for a contextual menu. 然后选择“分配”。 Then select Assign.

    计划的备用选项

  3. 输入以下示例信息,填充“保证安全: 分配计划”页。Fill out the Get Secure: Assign Initiative page by entering the following example information. 可以使用自己的信息。You can use your own information.

    • 范围:在其中保存计划的管理组或订阅变为默认。Scope: The management group or subscription you saved the initiative to becomes the default. 可以更改范围,以将计划分配到保存位置中的某个订阅或资源组。You can change scope to assign the initiative to a subscription or resource group within the save location.
    • 排除项:配置上述范围内的任何资源,以防止向其应用计划分配。Exclusions: Configure any resources within the scope to prevent the initiative assignment from being applied to them.
    • 计划定义和分配名称:“保证安全”(预先填充了所分配计划的名称)。Initiative definition and Assignment name: Get Secure (pre-populated as name of initiative being assigned).
    • 说明:此计划分配旨在实施这组策略定义。Description: This initiative assignment is tailored to enforce this group of policy definitions.
    • 分配者:根据登录的用户自动填充。Assigned by: Automatically filled based on who is logged in. 此字段是可选字段,因此可输入自定义值。This field is optional, so custom values can be entered.
  4. 不选中“创建托管标识” 。Leave Create a Managed Identity unchecked. 当分配的策略或计划包含具有 deployIfNotExists 效果的策略时,必须勾选此框 。This box must be checked when the policy or initiative being assigned includes a policy with the deployIfNotExists effect. 本教程所使用的策略不属于这种情况,因此请将其留空。As the policy used for this tutorial doesn't, leave it blank. 有关详细信息,请参阅托管标识修正安全性工作原理For more information, see managed identities and how remediation security works.

  5. 单击“分配” 。Click Assign.

检查初始符合性Check initial compliance

  1. 选择“Azure Policy”页左侧的“符合性” 。Select Compliance in the left side of the Azure Policy page.

  2. 找到“获取源” 计划。Locate the Get Source initiative. 可能仍处于“未启动”符合性状态 。It's likely still in Compliance state of Not started. 单击计划,获取有关分配进度的完整详细信息。Click on the initiative to get full details on the progress of the assignment.

    计划符合性页 - 评估未启动

  3. 完成计划分配后,符合性页会更新为“符合”符合性状态 。Once the initiative assignment has been completed, the compliance page is updated with the Compliance state of Compliant.

    计划符合性页 - 资源符合性

  4. 单击计划符合性页上的任何策略均可打开该策略的符合性详细信息页。Clicking on any policy on the initiative compliance page opens the compliance details page for the policy. 此页提供符合性的资源级别详细信息。This page provides details at the resource level for compliance.

使用“排除”豁免不符合或遭拒绝的资源Exempt a non-compliant or denied resource using Exclusion

继续以上示例,在通过分配策略定义来要求使用 SQL Server 版本 12.0 以后,通过 12.0 以外的版本创建的 SQL Server 将被拒绝。Following the example above, after assigning the policy definition to require SQL server version 12.0, a SQL server created with any version other 12.0 would get denied. 本部分介绍如何通过创建单个资源组中的排除项,来解决拒绝创建 SQL Server 的请求的问题。In this section, you walk through resolving a denied request to create a SQL server by creating an exclusion on a single resource group. 该排除项可防止对该资源实施策略(或计划)。The exclusion prevents enforcement of the policy (or initiative) on that resource. 在以下示例中,允许在单个资源组中使用任何 SQL Server 版本。In the following example, any SQL server version is allowed in a single resource group. 可对订阅、资源组应用排除,或者将排除范围缩小到单个资源。An exclusion can apply to a subscription, resource group, or you can narrow the exclusion to individual resources.

可在两个位置查看被分配的策略或计划阻止的部署:A deployment prevented by an assigned policy or initiative can be viewed in two locations:

  • 在部署针对的资源组中:选择页面左侧的“部署”,然后单击失败部署的“部署名称”。 On the resource group targeted by the deployment: Select Deployments in the left side of the page, then and click on the Deployment Name of the failed deployment. 随后将会列出带有“禁止”状态的被拒绝资源 。The resource that was denied is listed with a status of Forbidden. 若要确定拒绝该资源的策略或计划和分配,请在“部署概述”页上单击“失败。 单击此处了解详细信息 ->”。To determine the policy or initiative and assignment that denied the resource, click Failed. Click here for details -> on the Deployment Overview page. 页面右侧会打开一个窗口,其中显示了错误信息。A window opens on the right side of the page with the error information. “错误详细信息”下显示了相关策略对象的 GUID 。Under Error Details are the GUIDs of the related policy objects.

    策略分配拒绝的部署

  • 在“Azure Policy”页上:选择页面左侧的“符合性”,然后单击“需要 SQL Server 版本 12.0”策略。 On the Azure Policy page: Select Compliance in the left side of the page and click on the Require SQL Server version 12.0 policy. 在打开的页面上,会看到“拒绝”计数已递增。 On the page that opens, you would see an increase in the Deny count. 在“事件”选项卡下,还会看到谁尝试执行了被策略拒绝的部署。 Under the Events tab, you would also see who tried the deployment that was denied by the policy.

    分配策略的符合性概述

在此示例中,Contoso 的资深虚拟化专家之一 Trent Baker 执行了所需的工作。In this example, Trent Baker, one of Contoso's Sr. Virtualization specialists, was doing required work. 我们需要为 Trent 指定一个例外项,但不希望在任何资源组中使用版本 12.0 以外的 SQL Server。We need to grant Trent an exception, but we don't want the non-version 12.0 SQL servers in just any resource group. 我们创建了新资源组 SQLServers_Excluded,现在要将此资源组指定为此策略分配的例外项。We've created a new resource group, SQLServers_Excluded and will now grant it an exception to this policy assignment.

使用排除项更新分配Update assignment with exclusion

  1. 在“Azure Policy”页左侧的“创作”下选择“分配” 。Select Assignments under Authoring in the left side of the Azure Policy page.

  2. 浏览所有策略分配并打开“需要 SQL Server 版本 12.0” 分配。Browse through all policy assignments and open the Require SQL Server version 12.0 assignment.

  3. 设置“排除项”:单击省略号并选择要排除的资源组(在本示例中为 SQLServers_Excluded)。 Set the Exclusion by clicking the ellipsis and selecting the resource group to exclude, SQLServers_Excluded in this example.

    向策略分配添加排除的资源组

    备注

    根据策略及其效果,也可以将排除项指定为分配范围内某个资源组中的特定资源。Depending on the policy and its effect, the exclusion could also be granted to specific resources within a resource group inside the scope of the assignment. 由于本教程使用了“拒绝”效果,对已存在的特定资源设置排除项没有意义。 As a Deny effect was used in this tutorial, it would not make sense to set the exclusion on a specific resource that already exists.

  4. 单击“选择”,并单击“保存”。 Click Select and then click Save.

本部分介绍如何通过创建单个资源组中的排除项,来解决请求被拒绝的问题。In this section, you resolved the denied request by creating an exclusion on a single resource group.

清理资源Clean up resources

如果今后不再使用本教程中的资源,请使用以下步骤删除前面创建的所有分配或定义:If you're done working with resources from this tutorial, use the following steps to delete any of the assignments or definitions created above:

  1. 在“Azure Policy”页左侧的“创作”下选择“定义”(如果尝试删除分配,则选择“分配”) 。Select Definitions (or Assignments if you're trying to delete an assignment) under Authoring in the left side of the Azure Policy page.

  2. 搜索要删除的新计划或策略定义(或分配)。Search for the new initiative or policy definition (or assignment) you want to remove.

  3. 右键单击定义(或分配)对应的行或选择其末尾的省略号,然后选择“删除定义”(或“删除分配”)。 Right-click the row or select the ellipses at the end of the definition (or assignment), and select Delete definition (or Delete assignment).

后续步骤Next steps

在本教程中,你已成功完成以下任务:In this tutorial, you successfully accomplished the following tasks:

  • 分配策略,对将来创建的资源强制执行条件Assigned a policy to enforce a condition for resources you create in the future
  • 创建并分配计划定义,跟踪多个资源的符合性Created and assign an initiative definition to track compliance for multiple resources
  • 解决不符合或遭拒绝的资源Resolved a non-compliant or denied resource
  • 在组织中实施新策略Implemented a new policy across an organization

若要了解有关策略定义结构的详细信息,请查看以下文章:To learn more about the structures of policy definitions, look at this article: