What is applicability in Azure Policy?
When a policy definition is assigned to a scope, Azure Policy determines which resources in that scope should be considered for compliance evaluation. A resource is only assessed for compliance if it's considered applicable to the given policy assignment.
Several factors determine applicability:
- Conditions in the
if
block of the policy rule. - Mode of the policy definition.
- Excluded scopes specified in the assignment.
- Resource selectors specified in the assignment.
- Exemptions of resources or resource hierarchies.
Conditions in the if
block of the policy rule are evaluated for applicability in slightly different ways based on the effect.
Note
Applicability is different from compliance, and the logic used to determine each is different. If a resource is applicable that means it is relevant to the policy. If a resource is compliant that means it adheres to the policy. Sometimes only certain conditions from the policy rule impact applicability, while all conditions of the policy rule impact compliance state.
Resource Manager modes
ifNotExists policy effects
The applicability of AuditIfNotExists
and DeployIfNotExists
policies is based off the entire if
condition of the policy rule. When the if
evaluates to false, the policy isn't applicable.
All other policy effects
Azure Policy evaluates only type
, name
, and kind
conditions in the policy rule if
expression and treats other conditions as true (or false when negated). If the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable.
Following are special cases to the previously described applicability logic:
Scenario | Result |
---|---|
Any invalid aliases in the if conditions |
The policy isn't applicable |
When the if conditions consist of only kind conditions |
The policy is applicable to all resources |
When the if conditions consist of only name conditions |
The policy is applicable to all resources |
When the if conditions consist of only type and kind conditions |
Only type conditions are considered when deciding applicability |
When the if conditions consist of only type and name conditions |
Only type conditions are considered when deciding applicability |
When the if conditions consist of type , kind , and other conditions |
Both type and kind conditions are considered when deciding applicability |
When the if conditions consist of type , name , and other conditions |
Both type and name conditions are considered when deciding applicability |
When any conditions (including deployment parameters) include a location condition |
Isn't applicable to subscriptions |
Resource provider modes
Microsoft.Kubernetes.Data
The applicability of Microsoft.Kubernetes.Data
policies is based off the entire if
condition of the policy rule. When the if
evaluates to false, the policy isn't applicable.
Microsoft.KeyVault.Data, Microsoft.DataFactory.Data
Policies with these resource provider modes are applicable if the type
condition of the policy rule evaluates to true. The type
refers to component type.
Key Vault component types:
Microsoft.KeyVault.Data/vaults/certificates
Microsoft.KeyVault.Data/vaults/keys
Microsoft.KeyVault.Data/vaults/secrets
Azure Data Factory component type:
Microsoft.DataFactory.Data/factories/outboundTraffic
Not Applicable Resources
There could be situations in which resources are applicable to an assignment based on conditions or scope, but they shouldn't be applicable due to business reasons. At that time, it would be best to apply exclusions or exemptions. To learn more on when to use either, review scope comparison
Note
By design, Azure Policy does not evaluate resources under the Microsoft.Resources
resource provider from policy evaluation, except for subscriptions and resource groups.
Next steps
- Learn how to mark resources as not applicable.
- Lean more on applicability limitations
- Learn how to Get compliance data of Azure resources.