cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Scoping - Azure policy

CyberSec
Occasional Contributor

‎Oct 14 2022 02:49 AM

‎Oct 14 2022 02:49 AM

Scoping - Azure policy

Hello,

 

How does inheritance work in Azure policy? I've subscription A with a policy to deny EC2 creation. But I create a policy specific to Resource Group with a policy to allow EC2 creation, which takes precedence?

 

Thanks

 

Labels:
248 Views
0 Likes
2 Replies
Reply
2 Replies
Chandrasekhar_Arya

‎Oct 16 2022 10:32 PM

‎Oct 16 2022 10:32 PM

Re: Scoping - Azure policy

In your example your exception at resource group level takes precedence. The recommended best practices apply policies of organization level at management group, then apply exceptions either at subscription level or resources groups level.
Take an example you want to block the usage of Public IP address then apply it at management group level but say you want specific set of VM that needs public IP address place that VM in a resource group and then apply exception
1 Like
Reply
best response confirmed by CyberSec (Occasional Contributor)
iamneeraj

‎Oct 25 2022 08:11 AM

‎Oct 25 2022 08:11 AM

Solution

Re: Scoping - Azure policy

@CyberSec  Azure policy inheritance works in form of Hierarchy

Highest Precedence=== Management Group > Subscription> Resource Group >Resource.


Subscription Policy to Deny VM(EC2) will not allow you to create a VM as Subscription policy will override the allow policy at Resource Group level.

Preview file
521 KB
1 Like
Reply