Scoping - Azure policy

Occasional Contributor



How does inheritance work in Azure policy? I've subscription A with a policy to deny EC2 creation. But I create a policy specific to Resource Group with a policy to allow EC2 creation, which takes precedence?




2 Replies
In your example your exception at resource group level takes precedence. The recommended best practices apply policies of organization level at management group, then apply exceptions either at subscription level or resources groups level.
Take an example you want to block the usage of Public IP address then apply it at management group level but say you want specific set of VM that needs public IP address place that VM in a resource group and then apply exception
best response confirmed by CyberSec (Occasional Contributor)

@CyberSec  Azure policy inheritance works in form of Hierarchy

Highest Precedence=== Management Group > Subscription> Resource Group >Resource.

Subscription Policy to Deny VM(EC2) will not allow you to create a VM as Subscription policy will override the allow policy at Resource Group level.