Assign policy to specific resource in azure

Question

Hi,
Can I assign a policy to a specific resource (Ex, Virtual Machine) in azure? or the policy assigns to a resource group that includes the resources.

Answer 1

@Mohamed Rizvi Welcome to Microsoft Q & A Community Forum. As mentioned by @Roderick Bant , you can't assign a policy at resource level scope. However, you can assign the policy at management group, subscription and resource group level and use exclusions feature to exclude the resource you don't want to include in the policy assignment.

For more information on policy assignment, you can refer below articles.

• https://learn.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure
• https://learn.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

Answer 2

Policies are typically assigned to management groups, subscriptions or resource groups. However you can design your policy to include a parameter for the name of the resource and use that parameter in logical evaluation part of the policyRule to decide wether it should be applied.

See example below for using a list of names as a parameter to, in this case not, apply the policy to.

   {  
       "properties": {  
           "displayName": "Assigned resource names",  
           "description": "This policy enables you to assign it to specific resources.",  
           "mode": "Indexed",  
           "metadata": {  
               "version": "1.0.0",  
               "category": "Custom"  
           },  
           "parameters": {  
               "allowedResourceNames": {  
                   "type": "array",  
                   "metadata": {  
                       "description": "The list of resources the policy should apply to",  
                       "displayName": "Allowed resources names"  
                   },  
                   "defaultValue": [ "westus2" ]  
               }  
           },  
           "policyRule": {  
               "if": {  
                   "not": {  
                       "field": "name",  
                       "in": "[parameters('allowedResourceNames')]"  
                   }  
               },  
               "then": {  
                   "effect": "deny"  
               }  
           }  
       }  
   }  

Answer 3

In my case, It works well when I used custom policy below.

※ This custom policy also constraints the location, so please use only what you need.

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "anyOf": [
            {
              "field": "location",
              "notIn": "[parameters('listOfAllowedLocations')]"
            },
            {
              "value": "[split(field('type'), '/')[0]]",
              "notIn": "[parameters('listOfAllowedResourceProviders')]"
            }
          ]
        },
        {
          "field": "location",
          "notEquals": "global"
        },
        {
          "field": "type",
          "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "listOfAllowedLocations": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed locations",
        "description": "The list of locations that can be specified when deploying resources.",
        "strongType": "location"
      }
    },
    "listOfAllowedResourceProviders": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed resouce providers",
        "description": "Allow only specific resource providers"
      }
    }
  }
}

As shown in the picture above, you need to enter the name of the resource provider.