Azure-docs: Clarify policy inheritance and override

Created on 12 Apr 2018  Â·  6Comments  Â·  Source: MicrosoftDocs/azure-docs

I am trying to understand how policies can be overridden by other policies further down the assignment tree. It would be really nice if this document could clarify that.

For example, we are looking to assign a resource type whitelist policy at the management group level, and then assign a more permissive policy (allowing more resource types) on a child management group or even directly on subscriptions.

But it's not clear to me from the documentation what happens when multiple policies, which specify conflicting conditions and/or effects, are assigned on different levels of the assignment tree.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

assigned-to-author azure-policsvc doc-enhancement in-progress triaged
Source
picture DaRosenberg
👍1

Most helpful comment

@bandersmsft OK, thanks - that's clear in the context of my particular example.

But I'd like to understand more generally the rules of inheritance and possible overriding.

If I extrapolate on what you're saying about my example, would it be correct to say in general terms:

  • Policy assignments get evaluated top-to-bottom
  • The most restrictive policy assignment will always win, i.e. a DENY on any level will take precedence over an ALLOW on any other level
  • AUDIT overrides ALLOW
  • DENY overrides both AUDIT and ALLOW.
  • Policy evaluation is not short-circuited, i.e. the whole inheritance tree is always evaluated for policies that could potentially have an effect

Would that be correct?

picture DaRosenberg on 19 Apr 2018
👍4

All 6 comments

@DaRosenberg Hi Daniel, I'm investigating this with the PM team.

in-process

bandersmsft picture bandersmsft on 12 Apr 2018
👍2

FYI @bandersmsft - assigned the issue to you for further correspondence.

femsulu picture femsulu on 12 Apr 2018

Still working on this.

bandersmsft picture bandersmsft on 18 Apr 2018

@DaRosenberg Hi Daniel. You need to exclude the child management group or subscription from the management group-level policy assignment. Then, assign the more permissive policy on the child management group or subscription level. Basically, if any policy results in a resource getting denied then the only way to allow the resource is to modify the denying policy.
I'll update the article for this example. Thanks!

please-close

bandersmsft picture bandersmsft on 18 Apr 2018

@bandersmsft OK, thanks - that's clear in the context of my particular example.

But I'd like to understand more generally the rules of inheritance and possible overriding.

If I extrapolate on what you're saying about my example, would it be correct to say in general terms:

  • Policy assignments get evaluated top-to-bottom
  • The most restrictive policy assignment will always win, i.e. a DENY on any level will take precedence over an ALLOW on any other level
  • AUDIT overrides ALLOW
  • DENY overrides both AUDIT and ALLOW.
  • Policy evaluation is not short-circuited, i.e. the whole inheritance tree is always evaluated for policies that could potentially have an effect

Would that be correct?

DaRosenberg picture DaRosenberg on 19 Apr 2018
👍4

re-open

danmyhre picture danmyhre on 4 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Ponant picture Ponant  Â·  3Comments
DeepPuddles picture DeepPuddles  Â·  3Comments
jamesgallagher-ie picture jamesgallagher-ie  Â·  3Comments
jebeld17 picture jebeld17  Â·  3Comments
mrdfuse picture mrdfuse  Â·  3Comments