Azure Policy is the mechanism for enforcing compliance and governance requirements across Azure resources. In 2022, the tooling for managing Azure Policy as code has matured enough to treat policy as a first-class software artifact.
How Azure Policy works
Azure Policy evaluates resource properties against defined rules. A policy that requires all storage accounts to use HTTPS evaluates the httpsTrafficOnly property on each storage account in scope. Policies are assigned at management group, subscription, or resource group scope. Policy effects determine what happens on non-compliance: Audit (log the violation), Deny (block the resource creation), DeployIfNotExists (deploy a remediation resource if the compliant configuration is absent).
Policy initiatives for compliance frameworks
Policy initiatives (policy sets) group related policies for a compliance framework. The built-in initiatives for CIS, NIST, PCI, and HIPAA group the controls into a single assignment that applies all relevant policies. Custom initiatives let you define your organisation's specific governance requirements as a composable set of policies. Assigning an initiative at the management group level applies all policies to all subscriptions below it.
Bicep for policy definitions
Azure Policy definitions can be written in Bicep and deployed via ARM template deployment. Treating policy definitions as Bicep code means they are in version control, reviewable via pull request, and deployable through a pipeline. The GitHub Action for Azure Resource Manager deployment can apply policy definitions and assignments as part of a governance pipeline. This is the IaC pattern applied to governance.
Policy exemptions
Azure Policy exemptions allow specific resources or resource groups to be excluded from a policy assignment for a defined period. The exemptions are auditable in the Azure Policy compliance view. Managing exemptions rigorously (tracking expiry, justification, and owner) prevents exemptions from becoming permanent workarounds that undermine the governance intent.