Thursday, August 13, 2020

Azure Governance Policy Initiative – What/How to apply this

v Introduction

v Pre-Requisites

v Provisioning of VMs

v Policy Initiative Definition

v Remediation

v Get List of Installed Agents



Azure governance has been playing vital role when we talk about Azure. Policy ensures that resources are compliant as per the organization standard, it also identifies non-complaint resources so that adequate action or remediation can be applied to make resources complaint.

v Pre-Requisites

1.    To create policy initiative for Enabling monitor for Azure VMs, you should have few VMs available or you can create using following Azure PowerShell

2.    It also enforces to have one Log analytics workspace. 

v Provisioning of VMs

To verify how Policy initiative work ,we will have two virtual machines of type UbuntuLTS and Win2016 DataCenter

az vm create -n UbuntuVM -g cloudpiper-RG --image UbuntuLTS --admin-username "adminuser" --admin-password "Demouser@123" --size Standard_D2s_v3 --no-wait

az vm create -n windowsvm -g cloudpiper-rg --image Win2016Datacenter --admin-username adminuser --admin-password "Demouser@123" --size Standard_D2s_v3 --no-wait

Image vm-creation.jpg

Go to Resource Group to verify does virtual machines exist there.

Create a log analytics workspace or utilize it persists already

Policy Initiative: A Policy initiative is a collection of policies that are oriented towards achieving a singular target.

In this article I’ll be focusing on Enable Azure Monitor for VMs policy initiatives which is collection of almost 10 policies are part of Azure monitoring.

Certainly it depends on scenarios, and  on your organizations requirement sometime its more  appropriate to use a single policy. However, if we consider future prospects also than its will be easy to manage using Azure initiatives. Even product group always recommends assigning initiatives, even if it contains only one policy. Any amendments to that initiative, adding, removing or modifying the policies, then they will be auto assigned to the right scope.

e.g. instead of managing twenty 20 diverse policies for PCI-DSS compliance, you would only be managing the initiative because all those individuals polices are being evaluated at the same time. 

Practical -> So lets jump in practical part.

Login in  with your credentials and go to Policy -> Definitions as appears in following screenshot policy-definition.jpg 

Policy Definition

We will use Enable Azure Monitor for VMs. This initiative has almost 10 policies and is of type built-in.

Once you click on this initiative it opens the detailed information about all policies exists in that. Refer an image initiative-definition.jpg

Initiative Definition 

NOTE: Notice initiative definition doesn’t have deny effect Type, though it has deployIfNotExists and AuditIfNotExists.

Click on assign and follow the following screen Scope.jpg


for reference fill the required details and set a scope for as per you need for instance subscription/ResourceGroup 

Note: Ensure to keep the scope of virtual machines as Subscription/cloudpiper-rg and choose the Log Analytics workspace (Policy-initiative-law) you would have been created.

The optional parameters are if you have your own Windows/Linux images, which could add to the scope of this initiative.

Click Next and Create. Refer an image create-initiative.jpg

After successful creation it may show such message in notification

Creating initiative assignment 'Enable Azure Monitor for VMs' in 'Visual Studio Enterprise/cloudpiper-rg' was 
successful. Please note that the assignment takes around 30 minutes to take effect.
Go to Policy-> Assignments -> Enable Azure Monitor for VMs
Refer image Assignments.jpg



Go to Policy-> Compliance-> Enable Azure Monitor for VMs

See the complaint state as non-complaint for 2 resources along with 2 non-complaint policies , refer an image compliance-state.jpg below for reference 


Click on “Enable Azure monitor for VMs” it opens a more detailed page which contains diverse potential information along with actions which can be taken to make this complaint, like edit assignment , Assign to another scope, Create a remediation task etc.  Few of them are listed 


v  Complaint State - A newly assigned policy has ‘Not started’ state. Refresh the view to see the latest evaluation results. If you’re seeing ‘Not started’ for existing assignments, ensure that you have the 'Microsoft.PolicyInsights/*' RBAC permissions. If ‘Not Registered’, register the Microsoft.PolicyInsights RP.

v  Overall resource compliance - Count of compliant resource / (count of compliant resources + non-compliant resources). To learn more, visit

v  Non-complaint policies - Number of policy assignments with at least one non-compliant resource

v  Non-complaint resources- Number of unique resources that violate one or more policy rules

 Refer image : Complaince.jpg




v Click create remediation task and then click remediate. Refer an image remediation.jpg

New remediation task
Add caption

v  Once it has been succeeded, you should be able to verify using the following command 

Get List of Installed Agents

az vm extension list -g cloudpiper-rg --vm-name windowsvm -o table

az vm extension list -g cloudpiper-rg --vm-name windowsvm -o table

az vm extension list -g cloudpiper-rg --vm-name ubuntuvm -o table

Refer an image Powershell.jpg

You should see the MMAExtension and DependencyAgent extensions have been installed on all VMs . 

NOTE: Ensure after this lab kindly delete your resource group as it may incur too much cost.


For more Video demonstration kindly visit my YouTube channel





Post a Comment