Resource Policies
Start course

As an IT professional tasked with managing resources in Azure, it’s important to understand key administrative roles and permissions within a subscription and within a resource group. It’s also important to know how to leverage Role Based Access Control (RBAC) for managing such administrative roles and permissions.

In the first part of this course, you will learn about Azure subscriptions.  You will learn about key roles within a subscription, including contributor, owner, reader, and user access administrator. You’ll also learn how to manage these roles by using RBAC. We’ll also cover subscription policies and the role they play in the management of an Azure subscription.

In the second part of the course, we’ll talk about resource groups in Azure.  We’ll touch on what they do and how they are managed. You will learn how to secure resources within a resource group via resource policies and resource locks.  You’ll also learn about resource tagging and how it can be used to manage and group Azure resources.

Rounding out this course, we’ll cover the process of moving resources from one resource group to another, as well as the deletion of resource groups altogether.

Learning Objectives

Azure Subscriptions

  • Understand the owner role
  • Understand the subscription administrator Role
  • How to manage roles and permissions with RBAC
  • Understand subscription policies

Resource Groups

  • Understanding the purpose of resource groups
  • How to leverage resource group policies
  • How to use resource locks to protect resources
  • How to leverage resource tags  
  • Moving resources between resource groups
  • Removing resource groups

Intended Audience

  • IT professionals interested in becoming Azure cloud architects
  • IT professionals preparing for Microsoft’s Azure certification exams


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment

IT governance is critical to organizations. It ensures achievable goals through effective and efficient use of IT by creating clarity between business goals and IT projects. As such, IT governance requires careful planning of initiatives and setting priorities on a strategic level to help manage and prevent issues.

Azure Policy helps accomplish this. Azure Policy is an Azure service used to create, assign and manage policies that enforce different rules over Azure resources. In doing so, such resources remain compliant with corporate standards and SLAs.

Azure Policy accomplishes this by evaluating deployed resources and scanning for those not compliant with the policies that have been defined. An example of this would be a case in which a policy is defined to allow only a certain size of virtual machine in an Azure environment. Such a policy once implemented would be evaluated when creating and updating resources as well as over existing resources.

Managing resources with Azure Policy begins with the creation of a policy definition in the portal. Attached to such a definition are conditions under which it is enforced along with an effect that takes place when the defined conditions are met.

Azure Policy offers several built-in policies that are available by default require SQL Server 12.0 contains conditions and rules to ensure that all SQL servers deployed use version 12. This policy denies all servers that do not meet these criteria.

Allowed Storage Account SKUs contains conditions and rules that determine if a storage account being deployed is within a certain set of SKU sizes. It denies all storage accounts that do not adhere to the defined set of SKU sizes.

Allowed Resource Type contains conditions and rules to specify which resource types can be deployed. This policy denies any resources that are not part of this defined list. Allowed Locations restricts the locations to which resources can be deployed. It is used to enforce geo-compliance requirements. The Allowed Virtual Machine SKUs policy restricts the set of virtual machine SKUs that can be deployed.

Apply tag and its default value applies a required tag and its default value to resources if it is not specified by the user. The enforce tag and its value policy enforces a required tag and its value to a resource. Not allowed resource types enables the ability to specify resource types that cannot be deployed.

To leverage these policy definitions as well as any other custom definitions, they need to first be assigned. This can be accomplished through the Azure portal, PowerShell or through Azure CLI. Policy re-evaluation happens about once an hour. As such, changes to a policy definition after implementation of the policy will be re-evaluated over the resources within the hour.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.