什么是 Azure Policy?What is Azure Policy?

治理验证组织是否能够通过有效且高效地使用 IT 来实现其目标。Governance validates that your organization can achieve its goals through effective and efficient use of IT. 它通过详细说明业务目标和 IT 项目来满足这一需求。It meets this need by creating clarity between business goals and IT projects.

你的公司是否正遇到了大量似乎难以解决的 IT 问题?Does your company experience a significant number of IT issues that never seem to get resolved? 良好的 IT 治理涉及在战略级别规划各项举措和设置优先级,以便管理和预防问题。Good IT governance involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues. Azure Policy 迎合了此策略需求。This strategic need is where Azure Policy comes in.

Azure Policy 是 Azure 中的一项服务,用于创建、分配和管理策略。Azure Policy is a service in Azure that you use to create, assign, and manage policies. 这些策略将在整个资源中强制实施不同的规则和效果,使这些资源符合公司标准和服务级别协议。These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy 通过评估资源是否符合指定策略来满足此需求。Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. Azure Policy 存储的所有数据都经过静态加密。All data stored by Azure Policy is encrypted at rest.

例如,可以制定一项策略,只允许环境中存在特定 SKU 大小的虚拟机。For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. 实施此策略后,将评估新资源和现有资源的符合性。Once this policy is implemented, new and existing resources are evaluated for compliance. 通过使用正确的策略类型,可以确保现有资源的符合性。With the right type of policy, existing resources can be brought into compliance. 本文档后面将更详细地讲述如何使用 Azure Policy 创建和实施策略。Later in this documentation, we'll go over more details on how to create and implement policies with Azure Policy.


现在,无论定价层如何,为所有分配都提供了 Azure Policy 的符合性评估。Azure Policy's compliance evaluation is now provided for all assignments regardless of pricing tier. 如果分配未显示符合性数据,请确保已向 Microsoft.PolicyInsights 资源提供程序注册订阅。If your assignments do not show the compliance data, please ensure that the subscription is registered with the Microsoft.PolicyInsights resource provider.

策略与 RBAC 有什么不同?How is it different from RBAC?

Azure Policy 和基于角色的访问控制 (RBAC) 之间存在一些主要区别。There are a few key differences between Azure Policy and role-based access control (RBAC). RBAC 关注不同范围内的用户操作。RBAC focuses on user actions at different scopes. 你可能会被添加到资源组的参与者角色,可对该资源组做出更改。You might be added to the contributor role for a resource group, allowing you to make changes to that resource group. Azure Policy 关注部署期间的资源属性,以及现有资源。Azure Policy focuses on resource properties during deployment and for already existing resources. Azure Policy 控制各种属性,例如资源的类型或位置。Azure Policy controls properties such as the types or locations of resources. 不同于 RBAC,Azure Policy 是默认的允许和明确拒绝系统。Unlike RBAC, Azure Policy is a default allow and explicit deny system.

Azure Policy 中的 RBAC 权限RBAC Permissions in Azure Policy

Azure Policy 在两个资源提供程序中具有多个权限(称为操作):Azure Policy has several permissions, known as operations, in two Resource Providers:

许多内置角色可授予对 Azure Policy 资源的权限。Many Built-in roles grant permission to Azure Policy resources. “资源策略参与者”角色包括大多数 Azure Policy 操作 。The Resource Policy Contributor role includes most Azure Policy operations. “所有者”具有完全权限 。Owner has full rights. “参与者”和“读者”都可以使用所有读取 Azure Policy 操作,但“参与者”还可以触发修正 。Both Contributor and Reader can use all read Azure Policy operations, but Contributor can also trigger remediation.

如果没有任何内置角色具有所需的权限,可创建自定义角色If none of the Built-in roles have the permissions required, create a custom role.

策略定义Policy definition

若要在 Azure Policy 中创建和实施策略,首先请创建策略定义。The journey of creating and implementing a policy in Azure Policy begins with creating a policy definition. 每种策略定义在其特定的条件下将被强制执行。Every policy definition has conditions under which it's enforced. 并且,在满足条件时将出现定义的效果。And, it has a defined effect that takes place if the conditions are met.

在 Azure Policy 中,我们将提供一些默认可供使用的内置策略。In Azure Policy, we offer several built-in policies that are available by default. 例如:For example:

  • 允许的存储帐户 SKU:确定正在部署的存储帐户是否在 SKU 大小集内。Allowed Storage Account SKUs: Determines if a storage account being deployed is within a set of SKU sizes. 其效果是拒绝所有不符合定义的 SKU 大小集的存储帐户。Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
  • 允许的资源类型:定义可以部署的资源类型。Allowed Resource Type: Defines the resource types that you can deploy. 其效果是拒绝所有不属于此定义列表的资源。Its effect is to deny all resources that aren't part of this defined list.
  • 允许的位置:限制新资源的可用位置。Allowed Locations: Restricts the available locations for new resources. 其效果是用于强制执行异地符合性要求。Its effect is used to enforce your geo-compliance requirements.
  • 允许的虚拟机 SKU:指定可以部署的虚拟机 SKU 集。Allowed Virtual Machine SKUs: Specifies a set of virtual machine SKUs that you can deploy.
  • 向资源添加标记:如果部署请求未指定,则应用所需的标记及其默认值。Add a tag to resources: Applies a required tag and its default value if it's not specified by the deploy request.
  • 强制实施标记及其值:对资源强制执行所需的标记及其值。Enforce tag and its value: Enforces a required tag and its value to a resource.
  • 不允许的资源类型:禁止部署资源类型的列表。Not allowed resource types: Prevents a list of resource types from being deployed.

若要实现这些策略定义(包括内置定义和自定义定义),需将其分配出去。To implement these policy definitions (both built-in and custom definitions), you'll need to assign them. 可通过 Azure 门户、PowerShell 或 Azure CLI 来分配上述任意策略。You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.

策略评估采用多种不同的操作,例如策略分配或策略更新。Policy evaluation happens with several different actions, such as policy assignment or policy updates. 有关完整列表,请参阅策略评估触发器For a complete list, see Policy evaluation triggers.

若要了解有关策略定义结构的详细信息,请查看策略定义结构To learn more about the structures of policy definitions, review Policy Definition Structure.

策略分配Policy assignment

策略分配是在特定作用域内发生的已分配的策略定义。A policy assignment is a policy definition that has been assigned to take place within a specific scope. 此作用域的范围是从管理组到资源组。This scope could range from a management group to a resource group. 术语“作用域”指分配到策略定义的所有资源组、订阅或管理组 。The term scope refers to all the resource groups, subscriptions, or management groups that the policy definition is assigned to. 策略分配由所有子资源继承。Policy assignments are inherited by all child resources. 此设计意味着应用于资源组的策略也应用于该资源组中的资源。This design means that a policy applied to a resource group is also applied to resources in that resource group. 但是,可以从策略分配中排除子作用域。However, you can exclude a subscope from the policy assignment.

例如,可以在订阅作用域中分配阻止创建网络资源的策略。For example, at the subscription scope, you can assign a policy that prevents the creation of networking resources. 可以排除订阅中用于网络基础结构的资源组。You could exclude a resource group in that subscription that is intended for networking infrastructure. 然后可以向信任的用户授予此网络资源组的访问权限,包括创建网络资源。You then grant access to this networking resource group to users that you trust with creating networking resources.

在另一个示例中,你可能想要在管理组级别分配资源类型允许列表策略。In another example, you might want to assign a resource type allow list policy at the management group level. 然后为子管理组或者甚至直接为订阅分配更多权限策略(以允许更多资源类型)。And then assign a more permissive policy (allowing more resource types) on a child management group or even directly on subscriptions. 但是,此示例不会正常工作,因为策略是显式拒绝系统。However, this example wouldn't work because policy is an explicit deny system. 与此相反,你需要从管理组级别策略分配中排除子管理组或订阅。Instead, you need to exclude the child management group or subscription from the management group-level policy assignment. 然后,为子管理组或订阅级别分配更多权限策略。Then, assign the more permissive policy on the child management group or subscription level. 如果任何策略导致资源被拒绝,则允许该资源的唯一方法是修改拒绝策略。If any policy results in a resource getting denied, then the only way to allow the resource is to modify the denying policy.

有关通过门户设置策略定义和分配的详细信息,请参阅创建策略分配,识别 Azure 环境中的不合规资源For more information on setting policy definitions and assignments through the portal, see Create a policy assignment to identify non-compliant resources in your Azure environment. 还可以使用 PowerShellAzure CLI 的步骤。Steps for PowerShell and Azure CLI are also available.

策略参数Policy parameters

策略参数通过减少必须创建的策略定义数量来帮助简化策略管理。Policy parameters help simplify your policy management by reducing the number of policy definitions you must create. 在创建策略定义时可定义参数,以使其更为通用。You can define parameters when creating a policy definition to make it more generic. 然后就可以为不同方案重复使用该策略定义。Then you can reuse that policy definition for different scenarios. 要执行此操作,请在分配策略定义时传入不同的值。You do so by passing in different values when assigning the policy definition. 例如,为订阅指定一组位置。For example, specifying one set of locations for a subscription.

在创建策略定义时定义参数。Parameters are defined when creating a policy definition. 在定义参数后,会为它指定一个名称,并且可选择为其提供一个值。When a parameter is defined, it's given a name and optionally given a value. 例如,可以为标题为“位置”的策略定义一个参数 。For example, you could define a parameter for a policy titled location. 然后,可在分配策略时赋予其不同的值,如“chinanorth2” 或“chinaeast2” 。Then you can give it different values such as chinanorth2 or chinaeast2 when assigning a policy.

有关策略参数的详细信息,请参阅定义结构 - 参数For more information about policy parameters, see Definition structure - Parameters.

计划定义Initiative definition

计划定义是策略定义的集合,是为实现单一的总体目标量身定制的。An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. 计划定义可以简化管理和分配策略定义。Initiative definitions simplify managing and assigning policy definitions. 它们通过将一组策略组合为一个单独的项来实现简化。They simplify by grouping a set of policies as one single item. 例如,可以创建一个标题为“启用 Azure 安全中心中的监视” 的计划,用于专门监视 Azure 安全中心中的所有可用的安全建议。For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.


Azure CLI 和 Azure PowerShell 等 SDK 使用名为 PolicySet 的属性和参数来引用计划 。The SDK, such as Azure CLI and Azure PowerShell, use properties and parameters named PolicySet to refer to initiatives.

在此计划中,将具有特定策略定义,例如:Under this initiative, you would have policy definitions such as:

  • 监视安全中心中未加密的 SQL 数据库 – 用于监视未加密的 SQL 数据库和服务器。Monitor unencrypted SQL Database in Security Center – For monitoring unencrypted SQL databases and servers.
  • 监视安全中心中的操作系统漏洞 - 用于监视不满足配置基线的服务器。Monitor OS vulnerabilities in Security Center – For monitoring servers that don't satisfy the configured baseline.
  • 监视安全中心中缺失的终结点保护 – 用于监视不具备已安装终结点保护代理的服务器。Monitor missing Endpoint Protection in Security Center – For monitoring servers without an installed endpoint protection agent.

计划分配Initiative assignment

类似于策略分配,计划分配是分配给特定作用域的计划定义。Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. 计划分配将减少为每个作用域生成多个计划定义的需要。Initiative assignments reduce the need to make several initiative definitions for each scope. 另外,此范围也是从管理组到资源组。This scope could also range from a management group to a resource group.

每个计划都可以分配给不同的作用域。Each initiative is assignable to different scopes. 可以将一个计划分配给 subscriptionA 和 subscriptionB 。One initiative can be assigned to both subscriptionA and subscriptionB.

计划参数Initiative parameters

类似于策略参数,计划参数通过减少冗余来帮助简化计划管理。Like policy parameters, initiative parameters help simplify initiative management by reducing redundancy. 计划参数是计划内的策略定义正在使用的参数。Initiative parameters are parameters being used by the policy definitions within the initiative.

例如,在实施某个方案时,有一个计划定义 initiativeC,此外还有策略定义 policyApolicyB,每个都会使用不同类型的参数:For example, take a scenario where you have an initiative definition - initiativeC, with policy definitions policyA and policyB each expecting a different type of parameter:

策略Policy 参数的名称Name of parameter 参数的类型Type of parameter 注意Note
policyApolicyA allowedLocationsallowedLocations arrayarray 此参数要求将值设置为字符串列表,因为参数类型已定义为数组This parameter expects a list of strings for a value since the parameter type has been defined as an array
policyBpolicyB allowedSingleLocationallowedSingleLocation stringstring 此参数要求将值设置为一个字词,因为参数类型已定义为字符串This parameter expects one word for a value since the parameter type has been defined as a string

在此情况下,定义 initiativeC 的计划参数时,有三个选项可供选择:In this scenario, when defining the initiative parameters for initiativeC, you have three options:

  • 使用此计划中的策略定义参数:在此示例中,allowedLocationsallowedSingleLocation 成为 initiativeC 的计划参数。Use the parameters of the policy definitions within this initiative: In this example, allowedLocations and allowedSingleLocation become initiative parameters for initiativeC.
  • 向此计划定义中策略定义的参数提供值。Provide values to the parameters of the policy definitions within this initiative definition. 在此示例中,可以向 policyA 的参数 – allowedLocations 和 policyB 的参数 – allowedSingleLocation 提供位置列表。In this example, you can provide a list of locations to policyA's parameter – allowedLocations and policyB's parameter – allowedSingleLocation. 此外,也可在分配此计划时提供值。You can also provide values when assigning this initiative.
  • 分配此计划时,提供可供使用的值 列表选项。Provide a list of value options that can be used when assigning this initiative. 在分配此计划时,从计划内的策略定义继承的参数只能具有此提供列表中的值。When you assign this initiative, the inherited parameters from the policy definitions within the initiative, can only have values from this provided list.

在计划定义中创建值选项时,无法在计划分配期间输入其他值,因为它不属于列表。When creating value options in an initiative definition, you're unable to input a different value during the initiative assignment because it's not part of the list.

Azure Policy 对象的最大计数Maximum count of Azure Policy objects

Azure Policy 的每个对象类型都有一个最大计数。There's a maximum count for each object type for Azure Policy. _作用域_条目是指订阅或管理组An entry of Scope means either the subscription or the management group.

WhereWhere 对象What 最大计数Maximum count
作用域Scope 策略定义Policy definitions 500500
作用域Scope 计划定义Initiative definitions 100100
租户Tenant 计划定义Initiative definitions 1,0001,000
作用域Scope 策略或计划分配Policy or initiative assignments 100100
策略定义Policy definition parametersParameters 20 个20
计划定义Initiative definition 策略Policies 100100
计划定义Initiative definition parametersParameters 100100
策略或计划分配Policy or initiative assignments 排除项(不在范围内的项)Exclusions (notScopes) 400400
策略规则Policy rule 嵌套式条件语句Nested conditionals 512512

管理策略的建议Recommendations for managing policies

请记住以下几个要点和提示:Here are a few pointers and tips to keep in mind:

  • 从审核效果(而不是拒绝效果)开始,以跟踪策略定义对环境中资源的影响。Start with an audit effect instead of a deny effect to track impact of your policy definition on the resources in your environment. 如果有用于自动缩放应用程序的脚本,那么设置拒绝效果可能会影响此类已经执行的自动化任务。If you have scripts already in place to autoscale your applications, setting a deny effect may hinder such automation tasks already in place.

  • 请在创建定义和分配时考虑组织的层次结构。Consider organizational hierarchies when creating definitions and assignments. 我们建议在更高级别创建定义,例如管理组或订阅级别。We recommend creating definitions at higher levels such as the management group or subscription level. 然后,在下一子级别创建分配。Then, create the assignment at the next child level. 如果在管理组中创建定义,则可以将分配范围缩小到该管理组中的订阅或资源组。If you create a definition at a management group, the assignment can be scoped down to a subscription or resource group within that management group.

  • 我们建议创建并分配计划定义,即使对于单个策略定义,也是如此。We recommend creating and assigning initiative definitions even for a single policy definition. 例如,你有策略定义 policyDefA 并在计划定义 initiativeDefC 下创建它 。For example, you have policy definition policyDefA and create it under initiative definition initiativeDefC. 如果稍后为 policyDefB 创建另一个策略定义,其目标类似于 policyDefA,则可以在 initiativeDefC 下添加它并一起跟踪它们 。If you create another policy definition later for policyDefB with goals similar to policyDefA, you can add it under initiativeDefC and track them together.

  • 创建计划分配后,添加到该计划中的策略定义也将成为该计划分配的一部分。Once you've created an initiative assignment, policy definitions added to the initiative also become part of that initiatives assignments.

  • 评估计划分配后,还会评估计划内的所有策略。When an initiative assignment is evaluated, all policies within the initiative are also evaluated. 如果需要单独评估某个策略,最好不要将其包含在计划中。If you need to evaluate a policy individually, it's better to not include it in an initiative.

后续步骤Next steps

大致了解 Azure Policy 和一些关键概念后,建议执行后续步骤:Now that you have an overview of Azure Policy and some of the key concepts, here are the suggested next steps: