Blog Post

Core Infrastructure and Security Blog

7 MIN READ

Azure Policy Remediation with Deployment Scripts

Microsoft

Aug 21, 2020

How many times have you wanted to remediate a non-compliant object using Azure Policy but found you can’t because the policy language or type of object can’t be manipulated in that way. Or maybe you’...

Updated Aug 20, 2020

Version 1.0

AnthonyWatherston

Microsoft

Joined August 23, 2019

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

Jack_Chen

Copper Contributor

May 20, 2021

Thanks Anthony, your post is really helpful.

I am trying to make sure any new subscriptions have a Azure provider and feature enabled and it doesn't look like regular ARM template can do it.

After some struggle this code worked for me :

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Resources/deployments",
          "name": "SQLVMREG",
          "ExistenceScope": "subscription",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deploymentScope": "subscription",
          "deployment": {
            "location": "westus2",
            "name": "SQLVMREG",

I used a named deployment so it won't rerun on the subscriptions which already did it.