Implementing Governance for your Azure Cloud Using Azure Policy

by Contributed | Sep 20, 2024 | Technology

This article is contributed. See the original author and article here.

What is Azure Policy?

Azure Policy is a service that allows you to create, assign, and manage policies that govern your Azure resources. Policies are rules that define the desired state and configuration of your resources, such as the location, size, tags, and properties. Policies can also audit the compliance status of your resources and report any violations.

With Azure Policy, you can ensure that your resources follow the best practices and standards that you define for your organization. You can also use Azure Policy to implement cost management, security, and regulatory compliance for your cloud environment.

How does Azure Policy work?

Azure Policy works by evaluating your resources against the policies that you assign to them. You can assign policies at different levels of scope, such as the management group, subscription, resource group, or resource level. You can also create policy initiatives, which are collections of policies that work together to achieve a specific goal.

When you assign a policy, you can choose to apply it in audit mode or enforce mode. Audit mode will only monitor and report the compliance status of your resources, while enforce mode will prevent any non-compliant actions from taking place. For example, you can create a policy that restricts the allowed locations for your resources, and assign it in enforce mode. This will prevent any users from creating or moving resources to locations that are not allowed by the policy.

Azure Policy evaluates your resources periodically and whenever there is a change in the resource or the policy. You can view the compliance status of your resources and policies in the Azure portal, or use the Azure Policy APIs to integrate with other tools and services. You can also use Azure Policy to remediate any non-compliant resources by applying the desired configuration automatically or manually.

Why is Azure Policy useful for cloud governance?

Azure Policy is a powerful tool for cloud governance, because it enables you to define and enforce the rules and standards that you want your resources to follow. With Azure Policy, you can:

– Achieve consistency and compliance across your cloud environment, by ensuring that your resources are configured according to your policies.

– Reduce costs and optimize resource utilization, by limiting the types and sizes of resources that can be created or used.

– Enhance security and reduce risks, by restricting access and actions that can be performed on your resources.

– Meet regulatory and legal requirements, by complying with the policies that align with the industry standards and frameworks that apply to your organization.

Azure Policy is one of the key components of the Azure governance methodology, which provides a comprehensive approach to managing your cloud resources. By using Azure Policy, along with other services such as Azure Management Groups, Azure Blueprints, and Azure Resource Graph, you can achieve effective and efficient cloud governance for your organization.

Common Azure Policies

• Enforce tag and its value: This policy enforces a required tag and its value to a resource group or a subscription.

• Allowed locations: This policy enables you to restrict the locations that your organization can specify when deploying resources.

• Audit VMs that do not use managed disks: This policy audits any virtual machines that are not configured with managed disks, which are the recommended disk storage offering for virtual machines in Azure.

• Allowed resource types: This policy enables you to specify the resource types that your organization can deploy. For example, you can allow only virtual machines and storage accounts, and deny all other resource types.

• Audit insecure SSL protocols: This policy audits the usage of SSL protocols that are considered insecure, such as SSLv2 and SSLv3, and recommends using TLS protocols instead.

What if I don’t see a policy I need to define my rules? In that case you may create a custom policy.

How to create a custom Azure policy?

• To create a custom Azure policy, you need to define a policy definition and a policy assignment.


• A policy definition is a JSON file that specifies the logic and effect of the policy.


• A policy definition consists of the following elements:
  
  
  
  • Metadata: information about the policy, such as name, description, category, and mode.
  
  
  • Parameters: optional inputs that can be used to customize the policy.
  
  
  • Policy rule: the core logic of the policy, which defines the conditions and actions to evaluate the resources.
  
  
  • A policy assignment is the link between a policy definition and a scope, which can be a subscription, a resource group, or a resource.
  
  
  • A policy assignment can also specify parameters, exclusions, and enforcement modes for the policy.
  
  
  
  


• To create a custom Azure policy, you can use one of the following methods:


• Azure portal: a graphical user interface that allows you to create and manage policies.


• Azure PowerShell: a command-line tool that allows you to create and manage policies using scripts.


• Azure CLI: a cross-platform command-line tool that allows you to create and manage policies using commands.


• Azure Resource Manager templates: a declarative way of defining and deploying policies using JSON files.

Example of a custom Azure policy

• In this example, we will create a custom Azure policy that denies the creation of public IP addresses in a resource group.


• We will use the Azure portal to create the policy definition and the policy assignment.


• Here are the steps to follow:


• Sign in to the Azure portal and navigate to the Policy service.


• Click on Definitions and then click on + Policy definition.


• Enter a name, description, and category for the policy definition.


• Copy and paste the following JSON code in the Policy rule section:


• {


• “if”: {


• “allOf”: [


• {


• “field”: “type”,


• “equals”: “Microsoft.Network/publicIPAddresses”


• },


• {


• “field”: “Microsoft.Network/publicIPAddresses/publicIPAllocationMethod”,


• “equals”: “Dynamic”


• }


• ]


• },


• “then”: {


• “effect”: “deny”


• }


• }


• This policy rule denies the creation of public IP addresses with dynamic allocation method.


• Click on Save to create the policy definition.


• Click on Assignments and then click on + Assign policy.


• Select the scope of the policy assignment, which is the resource group where you want to apply the policy.


• Select the policy definition that you just created from the list of available policies.


• Enter a name and description for the policy assignment.


• Click on Review + create and then click on Create to create the policy assignment.


• The policy is now assigned to the resource group and will evaluate any new or existing resources in that scope.


• You can view the compliance status and details of the policy assignment in the Policy service.

Example of creating a Policy for non-compliant resources

Below is the procedure of creating a policy for identifying non-compliance resources for auditing purposes, however in certain situations you may want to enforce Azure Policy as described in the link below

Tutorial: Build policies to enforce compliance – Azure Policy | Microsoft Learn

1. Create a Policy assignment


2. In the search bar, type Policy and navigate to Assignment

1. Select Assign Policy from the Policy Assignments pane.

1. Under Available Definitions, select the appropriate policy


2. Choose the correct scope for the policy (such as subscription or resource group, as an example). You also get to decide which resources are excluded from applying the policy in the Exclusions window.

1. Decide whether you want to Enforce this policy (Under Policy Enforcement – leave as Enabled or if not – Disable which will still allow for compliance assessment reports which is our case for now, as we only need to know which network interfaces have public IPs assigned)


2. d) Click Next – specify a managed identity under Remediation (not needed in our case),  

     move to Non-Compliant message

1. Complete the process by clicking Review + create > Create

2. View non-compliant resources

1. In the Policy search bar type the name of the policy

1. Click View Compliance

1. Observe non-compliant resources

Based on the requirements, you may need to enforce the policy and remediate.

Follow for more blogs where options for remediations will be covered.

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Work Smarter: Copilot Productivity Tips for Secure Insights

by Contributed | Sep 17, 2024 | Technology

This article is contributed. See the original author and article here.

With the slate of enhancements for Microsoft 365 Copilot just announced, I thought it’d be interesting to take a look at some everyday use cases and see how you can take advantage of some of them. Today, we’ll briefly examine what enterprise data protection (EDP) in Microsoft 365 Copilot and Microsoft Copilot can help you to confidently do, and why we think it’s so important. 

First, what is EDP? It refers to controls and commitments, under the Data Protection Addendum (DPA) and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft Copilot. It applies to both Microsoft 365 Copilot and Microsoft Copilot when you’re signed in with your Entra ID. 

Check out the link to get the details, but at a high level, it means your data is private and secure and is not used to train the foundation models. This allows you to confidently leverage Copilot to get your job done without risking data leakage. Now let’s take a look at how this can come in handy! 

Tip 1: Find out how your product stacks up with competitors 

Let’s say you have an internal document that lays out the specifications for your latest product and you need to figure out how to bring it to the market. EDP means that I can attach the file to my prompt knowing it will stay secure as Copilot reasons over it, combining information from my data with the latest information on the web, to provide me with a response. 

1. Here I am, in the “Web” scope of Microsoft 365 Copilot. 

A screenshot of Microsoft Copilot

2. I enter the prompt,  
“ Use the product specifications from this document, and create a table comparing my new ebike to other offerings on the market. I want to find out how my product stacks up, and get ideas for what I should price my bike at.” 

3. I select the paperclip icon on the bottom right of the chat window and select the product specification document from my files. 

A screenshot of the chat window with a prompt and file linked

A screenshot of the results returned by Copilot in a table

A screenshot of the response provided by Copilot with analysis on competitor offerings

Copilot provides me with the table I asked for, while also providing some of the analysis and pricing strategy I had asked about and the information in my exchange with Copilot is not going to train foundation models or be risk being leaked.

Tip 2: Simplify collaboration further with Microsoft 365 Copilot 

If you have a Microsoft 365 Copilot license, you can further simplify collaboration with your coworkers using Copilot Pages. 

1. In the work scope of Business Chat, I put in the same prompt, this time in the Work scope of Microsoft 365 Copilot. This time, to link my file to the prompt, I simply use the forward slash button. 

A screenshot of Microsoft 365 Copilot Business Chat

2. With the response from Copilot, I then select “Edit in page”. Copilot automatically brings over its response to a Page. 

A screenshot of the response from Copilot, with the button “Edit in Page”

3. On the page, I’m able to either select share on the top right, or directly tag my coworkers by @ mentioning them and immediately collaborate on the content. 

A screenshot of Business Chat and a Page component

Alternatively, I could share either a link to the page, or copy the page component into an email, the same way I would a Loop component (If you want to learn more the experience, we explored using Copilot in Loop in my previous blog here). 

For instance, I could @ mention Bri, and ask her to take a look and add her thoughts and ideas. She could do this directly on the page, and even ask Copilot to help her.  

These small but simple ways to use Copilot have significantly improved and changed the way I work, tackle challenges, and collaborate.  

I’d love to hear what other ways you might find this helpful to you!