快速入门:创建策略分配以识别不合规资源Quickstart: Create a policy assignment to identify non-compliant resources

若要了解 Azure 中的符合性,第一步是确定资源的状态。The first step in understanding compliance in Azure is to identify the status of your resources. 本快速入门逐步讲解如何创建策略分配,以识别未使用托管磁盘的虚拟机。This quickstart steps you through the process of creating a policy assignment to identify virtual machines that aren't using managed disks.

此过程结束时,你可以成功识别哪些虚拟机未使用托管磁盘。At the end of this process, you'll successfully identify virtual machines that aren't using managed disks. 这些虚拟机不符合策略分配要求。 They're non-compliant with the policy assignment.


如果没有 Azure 订阅,请在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

创建策略分配Create a policy assignment

本快速入门将创建一个策略分配,并分配“审核未使用托管磁盘的 VM”策略定义 。In this quickstart, you create a policy assignment and assign the Audit VMs that do not use managed disks policy definition.

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.


  2. 选择“Azure Policy”页左侧的“分配” 。Select Assignments on the left side of the Azure Policy page. 分配即为在特定范围内分配策略以供执行。An assignment is a policy that has been assigned to take place within a specific scope.


  3. 在“策略 - 分配”页的顶部选择“分配策略” 。Select Assign Policy from the top of the Policy - Assignments page.


  4. 在“分配策略”页上,通过单击省略号并选择管理组或订阅,选择“范围” 。On the Assign Policy page, select the Scope by clicking the ellipsis and selecting either a management group or subscription. 或者,请选择一个资源组。Optionally, select a resource group. 范围用于确定对其强制执行策略分配的资源或资源组。A scope determines what resources or grouping of resources the policy assignment gets enforced on. 然后在“范围”页的底部单击“选择”。 Then click Select at the bottom of the Scope page.

    此示例使用 Contoso 订阅 。This example uses the Contoso subscription. 你的订阅将有所不同。Your subscription will differ.

  5. 可基于“范围”排除资源 。Resources can be excluded based on the Scope. “排除”从低于“范围”级别的一个级别开始 。Exclusions start at one level lower than the level of the Scope. “排除”是可选的,因此暂时将其留空 。Exclusions are optional, so leave it blank for now.

  6. 选择“策略定义”旁边的省略号打开可用定义的列表。 Select the Policy definition ellipsis to open the list of available definitions. Azure Policy 附带可供使用的内置策略定义。Azure Policy comes with built-in policy definitions you can use. 许多是可用的,例如:Many are available, such as:

    • 强制实施标记和值Enforce tag and its value
    • 应用标记和值Apply tag and its value
    • 从资源组继承标记(如果缺少此标记)Inherit a tag from the resource group if missing

    有关可用内置策略的部分列表,请参阅 Azure Policy 示例For a partial list of available built-in policies, see Azure Policy samples.

  7. 在策略定义列表中搜索,找到“审核未使用托管磁盘的 VM”定义 。Search through the policy definitions list to find the Audit VMs that do not use managed disks definition. 单击该策略,再单击“选择” 。Click on that policy and click Select.


  8. “分配名称”中自动填充了所选的策略名称,但可以更改它。 The Assignment name is automatically populated with the policy name you selected, but you can change it. 对于此示例,请保留“审核未使用托管磁盘的 VM” 。For this example, leave Audit VMs that do not use managed disks. 还可根据需要添加“说明” 。You can also add an optional Description. 该说明提供有关此策略分配的详细信息。The description provides details about this policy assignment. 将根据登录的用户自动填写“分配者” 。Assigned by will automatically fill based on who is logged in. 此字段是可选字段,因此可输入自定义值。This field is optional, so custom values can be entered.

  9. 不选中“创建托管标识” 。Leave Create a Managed Identity unchecked. 当策略或计划包含具有 deployIfNotExists 效果的策略时,必须选中此复选框 。This box must be checked when the policy or initiative includes a policy with the deployIfNotExists effect. 由于本快速入门所使用的策略中未包含上述策略,请将其留空。As the policy used for this quickstart doesn't, leave it blank. 有关详细信息,请参阅托管标识修正安全性工作原理For more information, see managed identities and how remediation security works.

  10. 单击“分配” 。Click Assign.

你现已准备好识别不合规的资源,了解环境的符合性状态。You're now ready to identify non-compliant resources to understand the compliance state of your environment.

识别不合规的资源Identify non-compliant resources

选择页面左侧的“符合性” 。Select Compliance in the left side of the page. 然后找到所创建的“审核未使用托管磁盘的 VM”策略分配 。Then locate the Audit VMs that do not use managed disks policy assignment you created.


如果存在与此新分配不相符的任何现有资源,这些资源会在“不符合的资源”下显示 。If there are any existing resources that aren't compliant with this new assignment, they appear under Non-compliant resources.

针对现有资源评估某条件时,如果结果为 true,则会将这些资源标记为与策略不符。When a condition is evaluated against your existing resources and found true, then those resources are marked as non-compliant with the policy. 下表显示了对于生成的符合性状态,不同的策略效果是如何与条件评估配合使用的。The following table shows how different policy effects work with the condition evaluation for the resulting compliance state. 尽管在 Azure 门户中看不到评估逻辑,但会显示符合性状态结果。Although you don't see the evaluation logic in the Azure portal, the compliance state results are shown. 符合性状态结果为符合或不符合。The compliance state result is either compliant or non-compliant.

资源状态Resource State 效果Effect 策略评估Policy Evaluation 符合性状态Compliance State
ExistsExists Deny、Audit、Append*、DeployIfNotExist*、AuditIfNotExist*Deny, Audit, Append*, DeployIfNotExist*, AuditIfNotExist* TrueTrue 不合规Non-Compliant
ExistsExists Deny、Audit、Append*、DeployIfNotExist*、AuditIfNotExist*Deny, Audit, Append*, DeployIfNotExist*, AuditIfNotExist* FalseFalse 符合Compliant
新建New Audit、AuditIfNotExist*Audit, AuditIfNotExist* TrueTrue 不合规Non-Compliant
新建New Audit、AuditIfNotExist*Audit, AuditIfNotExist* FalseFalse 符合Compliant

*Append、DeployIfNotExist 和 AuditIfNotExist 效果要求 IF 语句为 TRUE。* The Append, DeployIfNotExist, and AuditIfNotExist effects require the IF statement to be TRUE. 这些效果还要求存在条件为 FALSE 才能将资源判定为不合规。The effects also require the existence condition to be FALSE to be non-compliant. 如果为 TRUE,则 IF 条件会触发相关资源存在条件的计算。When TRUE, the IF condition triggers evaluation of the existence condition for the related resources.

清理资源Clean up resources

删除创建的分配,请执行以下步骤:To remove the assignment created, follow these steps:

  1. 选择“Azure Policy”页面左侧中的“符合性”(或“分配”)并找到你创建的“审核未使用托管磁盘的 VM”策略分配。 Select Compliance (or Assignments) in the left side of the Azure Policy page and locate the Audit VMs that do not use managed disks policy assignment you created.

  2. 右键单击“审核不使用托管磁盘的 VM”策略分配并选择“删除分配”。 Right-click the Audit VMs that do not use managed disks policy assignment and select Delete assignment.


后续步骤Next steps

在本快速入门中,你向某个范围分配了策略定义并评估了其符合性报告。In this quickstart, you assigned a policy definition to a scope and evaluated its compliance report. 策略定义可验证范围内的所有资源都符合策略,并可标识不符合策略的资源。The policy definition validates that all the resources in the scope are compliant and identifies which ones aren't.

要了解有关分配策略以验证新资源是否符合要求的详细信息,请继续以下教程:To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: