Thursday, August 26, 2021

Azure Policy introduces user assigned MSI support, faster DINE deployment, and more!

Azure Policy is excited to be rolling out some exciting new features! With these new capabilities, customers will be able to configure the deployment time of ARM templates via their DeployIfNotExists policies, use user-assigned MSI with their policy assignments, as well as group more policies in initiatives.  

 

Learn more about our new features below! 

 

User-Assigned Managed Identity 

 

Azure Policy now supports user-assigned managed identities! You cancreate a user-assigned managed identityand assign it to one or more of your policy assignments, offering easier management of managed identities and controlling access across the environment. 

 

Users can assign a user-assigned managed identity via REST API today, with Azure portal, PowerShell, and Azure CLI support coming shortly. 

 

 

 

{
    "location": "westus2",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "/subscriptions/testSubscription/resourceGroups/testResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-msi": {}
        }
    },
    "properties": {
        "scope": "/subscriptions/testSubscription/resourcegroups/testResourceGroup",
        "displayName": "Test Policy User Assigned MSI",
        "enforcementMode": "Default",
        "policyDefinitionId": "/subscriptions/testSubscription/providers/Microsoft.Authorization/policyDefinitions/policyDefinitionId",
        "parameters": {}
    },
    "name": "TestPolicyWithUserAssignedMsi"
}

 

 

 

Here’s more information about user-assigned managed identities. 

 

DeployIfNotExist Latency Time 

 

AuditIfNotExists (AINE) and DeployIfNotExists (DINE) timing is now configurable within policy definitions!  

 

 

 

{
    "if": {
        "field": "type",
        "equals": "ResourceProviderTestHost/TestResourceTypeTwo"
    },
    "then": {
        "effect": "deployIfNotExists",
        "details": {
            "type": "ResourceProviderTestHost/TestResourceType",
            "evaluationDelay": "AfterProvisioning",
            "deployment": {
                "properties": {
                    "template": {
                        "$schema": https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#, 
                        "contentVersion": "1.0.0.0",
                        "resources": []
                    },
                    "mode": "Incremental"
                }
            }
        }
    }
}

 

 

 

Let’s say that you create and assign a DeployIfNotExists policy definition to your environment that deploys a private endpoint on any Azure Automation account. Now, instead of the private endpoint starting to deploy 10 minutes after creation of an Automation account, you can change the timing so the private endpoint deploys at the time that you choose, instead being limited to the default 10 minute delay.  

 

Instead, users are able to set one of the following options: 

  • AfterProvisioning 
  • AfterProvisioningSuccess 
  • AfterProvisioningFailure 
  • ISO 8601 duration between 0 and 360 minutes. 

 

AfterProvisioning values refer to the provisioning result of the resource that was evaluated in the policy rule's 'If’ condition. For example, AfterProvisioning runs after provisioning is complete, regardless of outcome.  

 

This does not affect remediation or existing resources as those evaluations always occur immediately. 

 

To use this new capability, you need to add the optional property ‘evaluationDelay’ to the details of your AINE and DINE policy definitions. 

 

To learn more about evaluationDelay, see DeployIfNotExists properties. 

 

Azure Policy initiative definitions increase support for 300 total parameter values 

 

Azure Policy initiative definitions enable users to group together related policy definitions to simplify assignments and management. Each initiative has an allowed number of parameters that users can define and apply to various policy definitions within a given initiative.  

 

Now, Azure Policy has increased the initiative parameter limit to 300.  This increases the amount of policy definitions that you can put in your initiative definitions and apply to your environment. Existing built-in initiative definitions also now have the capability to add more related policy definitions, becoming increasingly more robust and comprehensive. We hope that this update further improves ease of management of your environment with Azure Policy and provides a stronger compliance summary to our users.  

 

To learn more, see Azure Policy initiative definition structure. 

 

 

Posted at https://sl.advdat.com/3gwZFD2