DEMO: Assigning Policies
Start course

As an IT professional tasked with managing resources in Azure, it’s important to understand key administrative roles and permissions within a subscription and within a resource group. It’s also important to know how to leverage Role Based Access Control (RBAC) for managing such administrative roles and permissions.

In the first part of this course, you will learn about Azure subscriptions.  You will learn about key roles within a subscription, including contributor, owner, reader, and user access administrator. You’ll also learn how to manage these roles by using RBAC. We’ll also cover subscription policies and the role they play in the management of an Azure subscription.

In the second part of the course, we’ll talk about resource groups in Azure.  We’ll touch on what they do and how they are managed. You will learn how to secure resources within a resource group via resource policies and resource locks.  You’ll also learn about resource tagging and how it can be used to manage and group Azure resources.

Rounding out this course, we’ll cover the process of moving resources from one resource group to another, as well as the deletion of resource groups altogether.

Learning Objectives

Azure Subscriptions

  • Understand the owner role
  • Understand the subscription administrator Role
  • How to manage roles and permissions with RBAC
  • Understand subscription policies

Resource Groups

  • Understanding the purpose of resource groups
  • How to leverage resource group policies
  • How to use resource locks to protect resources
  • How to leverage resource tags  
  • Moving resources between resource groups
  • Removing resource groups

Intended Audience

  • IT professionals interested in becoming Azure cloud architects
  • IT professionals preparing for Microsoft’s Azure certification exams


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment

Understanding compliance in Microsoft Azure requires the ability to identify the status of resources in a subscription. In this demonstration, we'll walk through the process of creating a policy assignment to identify virtual machines that are not using managed disks.

To get started, let's create a policy assignment and assign the audit virtual machines without managed disks policy definition. To do this, browse to the Azure portal, and then click All services. From here, search for Policy, and then select it from the results list.

Click Assignments in the left pane. An assignment is a policy that's been assigned to take place within a specific scope. Next, click Assign policy from the top of the Policy Assignments page. From the Assign policy page, select a scope by clicking the ellipsis, and then choosing either a management group or a subscription. The scope determines which resources the policy assignment gets applied to.

Click Select at the bottom of the scope page. Exclusions are optional, so we'll leave this option blank since we aren't excluding anything. Click the policy definition ellipsis to open the list of available definitions. By default, Azure policy offers built-in policy definitions that you can use. For this exercise, we can search through the list of policy definitions to find the Audit VMs that do not use managed disks definition.

Click on that policy, and then click Select. The assignment name is automatically populated with the policy name, but that can be changed. For this exercise, we're just going to leave Audit VMs that do not use managed disks. Adding a description is optional. The description, if used, should provide details about the policy assignment itself.

Assigned by is filled in automatically, based on who is logged in. This field is also optional, and as such, custom information can be entered here as well. For this exercise, I'm going to leave Create a Managed Identity unchecked. This option must be checked if the policy being assigned includes a policy with the deploy if not exists effect. Since the policy we are working with in this exercise does not, we can leave it blank.

Click Assign to assign the policy. With the policy assigned, we can identify non-compliant resources To do so, click Compliance in the left side of the page, and then find the Audit VMS that do not use managed disks policy assignment that was created.

Resources that are not compliant with this new assignment will appear under Non-compliant resources. When conditions are evaluated against resources and are found to be true, those resources are marked as non-compliant with the assigned policy. Compliance State results are either compliant or non-compliant. So, as you can see from this demonstration, policies are extremely helpful when trying to ensure resource compliance with predefined standards.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.