Scoping - Azure policy

Hello,

How does inheritance work in Azure policy? I've subscription A with a policy to deny EC2 creation. But I create a policy specific to Resource Group with a policy to allow EC2 creation, which takes precedence?

Thanks

Azure Policy

iamneeraj
Oct 25, 2022
CyberSec Azure policy inheritance works in form of Hierarchy

Highest Precedence=== Management Group > Subscription> Resource Group >Resource.

Subscription Policy to Deny VM(EC2) will not allow you to create a VM as Subscription policy will override the allow policy at Resource Group level.

iamneeraj
Learn Expert
Oct 25, 2022
CyberSec Azure policy inheritance works in form of Hierarchy

Highest Precedence=== Management Group > Subscription> Resource Group >Resource.

Subscription Policy to Deny VM(EC2) will not allow you to create a VM as Subscription policy will override the allow policy at Resource Group level.
Chandrasekhar_Arya
Steel Contributor
Oct 17, 2022
In your example your exception at resource group level takes precedence. The recommended best practices apply policies of organization level at management group, then apply exceptions either at subscription level or resources groups level.
Take an example you want to block the usage of Public IP address then apply it at management group level but say you want specific set of VM that needs public IP address place that VM in a resource group and then apply exception

Forum Discussion

Scoping - Azure policy

Share

Resources