A question I often get asked is what’s the difference between Azure policy and Azure initiatives. Why would I use one over the other? In typical IT fashion I answer with “it depends”. This blog will answer those questions by review both azure services and the use cases for each. Before we start answering the questions let’s briefly review what each service does.
What is an Azure Policy?
Azure Policy is a service in Azure which allows you create polices which enforce and control the properties of a resource. When these policies are used they enforce different rules and effects over your resources, so those resources stay compliant with your IT governance standards.
To summarize, Azure policy is basically 3 components; policy definition , assignment and parameters.
Policy definition is the conditions which you want controlled. There are built in definitions such as controlling what type of resources can be deployed to enforcing the use of tags on all resources.
Policy assignment is the scope of what the policy definition can take effect around. Scope of assignment can be assigned to a individual, resource, resource group or management group. Policy assignments are inherited by all child resources.
Policy parameters are used by reducing the number of policy definitions you must create. Parameters would be used to define which type of VM SKUs to deploy or defining a specific location.
What is an Azure Initiative?
An Azure initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Azure initiatives simplify management of your policies by grouping a set of policies together as one single item. For example, you could use the PCI-DSS built-in initiative which has all the policy definitions that are centered around meeting PCI-DSS compliance.
Similar to Azure Policy, initiatives have definitions ( a bunch of policies ) , assignments and parameters. Once you determine the definitions that you want, you would assign the initiative to a scope so that it can be applied.
Which one should I use?
It depends…in certain scenarios, depending on your organizations requirement it maybe more appropriate to use a single policy. However, in most cases it would be best and probably easier to manage in the future, to start off using Azure initiatives. In fact, it’s recommend by the Product group to use initiatives even for a single policy because once an initiative is assigned/created then any additional policy definitions added to the initiative become part of the assignment which would simply managing policies. For instance. instead of managing 20 separate policies for PCI-DSS compliance, you would only be managing the initiative because all those individuals polices are being evaluated and at the same time. Keep in mind if you have a need to ONLY have 1 policy enforced and evaluated and don’t see it expanding it’s best to use a single policy.