Azure Policy glossary

The Azure Policy glossary provides definitions and descriptions of terms used by Azure Policy service. The term policy is used widely in virtually every industry and is associated with many use cases. Azure Policy has specific vocabulary and applications that aren't to be confused with policy embedded in other contexts.

Alias

A field used in policy definitions that maps to a resource property.

Applicability

Describes the relevance of resources that are considered for assessment against a policy. A resource is considered applicable to a policy when it resides within the scope of the policy assignment, isn't excluded or exempt from the policy assignment, and meets the conditions specified in the if block of the policy rule.

Assignment

A JSON-defined object that determines the resources to which a policy definition is applied. For more information about the policy assignment JSON structure, see Azure Policy assignment structure.

Attestation

Attestations are used by Azure Policy to set compliance states of resources or scopes targeted by manual policies. When a policy definition with manual effect is assigned, you can set the compliance states of targeted resources or scopes through custom attestations. For more information, see Azure Policy attestation structure.

Azure Policy

A service that enables users to govern Azure resources by enforcing organizational standards and assessing compliance at scale.

Built-in

Describes a type of policy definition that is available by default and generated by Azure Resource Providers. It's the alternative to a custom policy definition. View the list of available Azure Policy built-in policy definitions.

Category

Metadata property in the policy definition that classifies the definition based on its area of focus. The category often indicates the resource provider of the target resource (For example: Compute, Storage, Monitoring).

Compliance state

Describes a resource's adherence to applicable policies. Can be compliant, non-compliant, exempt, conflict, not started, or protected. For more information, see Get compliance data of Azure resources.

Compliant

A compliance state which indicates that a resource conformed to the policy rule in the policy definition.

Control

Another term used for group, specifically in the context of regulatory compliance.

Custom

Describes a type of policy definition authored by a policy user. It's the alternative to a built-in policy definition.

Definition

A JSON-defined object that describes a policy, including resource compliance requirements and the effect to take if there are violations. For more information about the policy definition JSON structure, see Azure Policy definition structure basics.

Definition location

The scope to which an initiative definition or policy definition can be assigned. It can be either a management group or a subscription, and assignments can be made at or below that scope in the hierarchy.

Effect

The action taken on a resource when the conditions of an applicable policy's rule are met. For more information, see Azure Policy definitions effect basics.

Enforcement

Describes the preventative behavior that certain types of policy effects can have.

Enforcement mode

A property of a policy assignment that allows users to enable or disable enforcement of certain policy effects like deny, while still evaluating for compliance and providing logs.

Evaluation

Describes the process of scanning resources in the cloud environment to determine applicability and compliance of assigned policies.

Event

An incident or outcome when something changes in Azure Policy, available for integration with Event Grid. Example events include instances in which a policy state is created, changed, or deleted. For more information, see Azure Policy as an Event Grid source.

Exclusion

Also referred to as NotScopes. A property in the policy assignment which eliminates child resource containers or child resources from the assignment so they aren't considered for compliance evaluation. Excluded scopes don't appear in Azure portal Compliance. For more information, see excluded scopes.

Exempt

A compliance state which indicates that a resource is covered by an exemption.

Exemption

A JSON-defined object that eliminates a resource hierarchy or an individual resource from evaluation. Resources that are exempt count toward overall compliance, but aren't evaluated. For more information about the exemption JSON structure, see Azure Policy exemption structure.

Group

A subcollection of policy definition IDs within an initiative definition.

Identity

A system-assigned managed identity or user-assigned managed identity used for remediation in Azure Policy. For more information, see managed identities for Azure resources.

Initiative

Also known as a policy set. A type of policy definition consisting of a collection of policy definition IDs. Used to centralize multiple policy definitions with a common goal that can share parameters, identities, and be managed in a single assignment.

JSON

Abbreviation for JavaScript Object Notation (JSON). Used by Azure Policy to define policy objects.

Mode

Property on the policy definition that determines which resource types are evaluated for a policy definition. The property's configuration depends on whether the policy targets an Azure Resource Manager (ARM) property defined in an ARM template or a Resource Provider (RP) property.

Non-compliant

A compliance state which indicates that a resource didn't conform to the policy rule in the policy definition.

Overrides

The optional overrides property allows you to change the effect of a policy definition. With an override, you don't need to change the underlying policy definition or use a parameterized effect in the policy definition.

Policy rule

The component of a policy definition that describes resource compliance requirements through logic-based conditional statements and the effect taken if those conditions aren't met. A rule includes an if block and a then block.

Policy state

Describes the aggregated compliance state of a policy assignment.

Policy versioning

Built-in policy definitions can host multiple versions with the same definitionID. For more information, see Version.

Regulatory Compliance

Describes a specific type of initiative that allows you to group policies into controls and categorization of policies into compliance domains based on responsibility (Customer, Microsoft, or Shared). There are many built-ins for Regulatory Compliance and customers have the ability to create their own. For more information, see Regulatory Compliance in Azure Policy.

Note

Regulatory Compliance is a Preview feature.

Remediation

A JSON-defined object that, when triggered, corrects resources violating policies with deployIfNotExists or modify effects. Remediation is only automatic for resources during creation or update. Existing resources must be remediated by triggering a remediation task. For more information, see Remediate non-compliant resources with Azure Policy.

Resource selectors

The optional resourceSelectors property is used for policy assignments or policy exemptions.

• Policy assignments: Allows you to do a gradual rollout of a policy assignment.
• Policy exemptions: Allows you to do a gradual rollout or rollback of an exemption.

Scope

The extent or area to which a policy is relevant, as described by Azure Resource Manager (ARM). It determines the set of resources that an assignment applies to, and might be a subscription, management group, resource group, or resource. For more information, see Understand scope in Azure Policy.

Template info

The component of a policy definition used to define the constraint template. For more information, see Understand Azure Policy for Kubernetes clusters.

Next steps

To get started with Azure Policy, see What is Azure Policy?.