Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
5.1.1. Azure Policy: Policies and Initiatives
💡 First Principle: Azure Policy evaluates resource properties against rules. Policies that detect non-compliance can audit, deny creation, or automatically remediate.
Scenario: You need to ensure all resources have a "CostCenter" tag with a value before they can be created.
Policy Effects
| Effect | Behavior | Use Case |
|---|---|---|
| Audit | Log non-compliance, allow resource | Monitoring existing resources |
| Deny | Block non-compliant resource creation | Enforce standards on new resources |
| Modify | Change resource properties | Auto-remediation |
| DeployIfNotExists | Deploy additional resources | Ensure dependencies exist |
| Append | Add properties during creation | Add default values |
Policy for Required Tags
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['CostCenter']",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}
⚠️ Exam Trap: Using append when you want to block resources without a tag. Append adds values but doesn't prevent creation. Use deny to block resources that don't have the required tag.
Policy Modes
| Mode | Behavior | Use Case |
|---|---|---|
| all | Evaluate all resource types including resource groups | General policies |
| indexed | Evaluate only resource types that support tags and location | Tag inheritance (skip resource groups) |
⚠️ Exam Trap: Using all mode for tag inheritance from resource groups. If a policy inherits tags from parent resource group, using all mode will try to apply to resource groups themselves (which have no parent). Use indexed mode to skip resource groups.
Written byAlvin Varughese
Founder•15 professional certifications