Dan Djurasovic Blog
  • SSH
  • Linux
Dan Djurasovic Blog
  • SSH
  • Linux
Jul 03

Create Azure Policy Assignment to block the creation of expensive VMs and block creation of certain resource types

  • 03/07/2022
  • Dan Djurasovic
  • No Comments

This article shows how to create Azure Policy Assignments to prevent Azure Administrators or Devepores from creating expensive Virtual Machines. and create some resources types (for example express Route)

We will cover steps using Azure Portal and PowerShell

We will be using the following existing two policies
• Allowed virtual machine size SKUs Policy Assignment
• Not allowed resource types

Navigate to Policy-Definitions, search for Allowed virtual machine size SKUs definitions. Select Assign form right menu

On the Basic tab leave it as default. By default, this policy will be assigned to the whole subscription

Navigate to the Parameters tab and select all SKUs which you want to be available for your users

After you assign a policy, this is a screen which will be available during VM creation. The end-users will see which VM is blocked and which are allowed.

Setup Policy Assignment using PowerShell

You can use this script to create policy  assignment. Just add your SKUs in $SKUs variable.

$Subscriptionid=”XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
$location=”Canada Central”

# Create a Azure Policy Assignment (Allowed virtual machine size SKUs)
# Allow VM creation only for the following SKUs
$SKUs=”Standard_A1_v2″,
“Standard_A2_v2”,
“Standard_A2m_v2”,
“Standard_A4_v2”,
“Standard_A8_v2”,
“Standard_B1ms”,
“Standard_B1s”,
“Standard_B2ms”,
“Standard_B2s”,
“Standard_B4ms”,
“Standard_D1_v2”,
“Standard_D16ds_v5”,
“Standard_D16s_v3″

$PolicyAssignmentName=”Allowed virtual machine size SKUs”
$Policy = Get-AzPolicyDefinition -Builtin | Where-Object {$_.Properties.DisplayName -eq “Allowed virtual machine size SKUs”}
$Parameter = @{“listOfAllowedSKUs”=@($SKUs)}
New-AzPolicyAssignment -Name $PolicyAssignmentName -PolicyDefinition $Policy -Scope “/subscriptions/$SubscriptionId” -PolicyParameterObject $Parameter -Location $location -AssignIdentity

We can use the following commands to check is assignment has been assigned 
$Policy = Get-AzPolicyAssignment -Name “Allowed virtual machine size SKUs”
#($Policy).Properties.Parameters
($Policy).Properties.Parameters.listOfAllowedSKUs | fl

NOT ALLOWED RESOURCE TYPES

Setup Policy Assignment using Portal

To set up this policy assignment, type Not Allowed Resource Types in search and navigate to the Assign buttons as presented in the following pictures.

On the Basic tab leave it as default. By default, this policy will be assigned to the whole subscription

Navigate to the Parameters tab and select all services which you do not want to be available for your users

Setup Policy Assignment using PowerShell

You can use this script to create policy  assignment. Just add your resources s in $BlockResources variable.

$Subscriptionid=”XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
$location=”Canada Central”

# Create an Azure Policy Assignment (Not allowed resource types)
# Dendy creation only for the following resource types
$BlockResources=
“microsoft.network/expressroutecircuits”,
“microsoft.network/expressroutegateways”,
“microsoft.network/p2svpngateways”,
“microsoft.network/vpngateways”

$PolicyAssignmentName=”Not allowed resource types”
$Policy = Get-AzPolicyDefinition -Builtin | Where-Object {$_.Properties.DisplayName -eq “Not allowed resource types”}
$Parameter = @{“listOfResourceTypesNotAllowed”=@($BlockResources)}
New-AzPolicyAssignment -Name $PolicyAssignmentName -PolicyDefinition $Policy -Scope “/subscriptions/$SubscriptionId” -PolicyParameterObject $Parameter -Location $location -AssignIdentity -Verbose

We can use the following commands to check is assignment has been assigned 
$Policy = Get-AzPolicyAssignment -Name “Not allowed resource types”
#($Policy).Properties.Parameters
($Policy).Properties.Parameters.listOfResourceTypesNotAllowed | fl

  • LinkedIn
  • E-Mail

About The Author

Dan is an Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory.

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy Assignment to block the creation of expensive VMs and block creation of certain resource types
  • Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Enable Monitoring and Alerting in Azure using Portal Part 1
  • Configure Windows virtual machine in Azure using Azure AD authentication and RDP.
  • How to deploy CIS hardening scripts on Windows VM hosted in the Azure

Recent Comments

  • George Ewusi on How to setup Azure Active Directory Domain Services
  • Vince on Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Herman on Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • Name (required)Pouya Panahy on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command
  • Dan Djurasovic on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command

Archives

  • July 2022
  • December 2021
  • October 2021
  • June 2021
  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com