教程:创建和管理策略以强制实施符合性Tutorial: Create and manage policies to enforce compliance

了解如何在 Azure 中创建和管理策略对于保持与公司标准和服务级别协议的符合性来说非常重要。Understanding how to create and manage policies in Azure is important for staying compliant with your corporate standards and service level agreements. 本教程介绍如何使用 Azure Policy 来执行某些与在组织中创建、分配和管理策略相关的常见任务,例如:In this tutorial, you learn to use Azure Policy to do some of the more common tasks related to creating, assigning, and managing policies across your organization, such as:

  • 分配策略,对将来创建的资源强制执行条件Assign a policy to enforce a condition for resources you create in the future
  • 创建并分配计划定义,跟踪多个资源的符合性Create and assign an initiative definition to track compliance for multiple resources
  • 解决不符合或遭拒绝的资源Resolve a non-compliant or denied resource
  • 在组织中实施新策略Implement a new policy across an organization

若要分配一个策略用于识别现有资源的当前符合性状态,请参阅快速入门文章。If you would like to assign a policy to identify the current compliance state of your existing resources, the quickstart articles go over how to do so.

必备条件Prerequisites

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

分配策略Assign a policy

使用 Azure Policy 强制实施符合性的第一步是分配策略定义。The first step in enforcing compliance with Azure Policy is to assign a policy definition. 策略定义用于定义实施策略的条件,以及要达到的效果。A policy definition defines under what condition a policy is enforced and what effect to take. 在本示例中,我们将分配名为“需要 SQL Server 版本 12.0” 的内置策略定义,强制执行“所有 SQL Server 数据库都必须是 v12.0 才视为符合”的条件。In this example, assign a built-in policy definition, called Require SQL Server version 12.0, to enforce the condition that all SQL Server databases must be v12.0 to be compliant.

  1. 转到 Azure 门户以分配策略。Go to the Azure portal to assign policies. 搜索并选择“策略” 。Search for and select Policy.

    在搜索栏中搜索“策略”

  2. 选择“Azure Policy”页左侧的“分配” 。Select Assignments on the left side of the Azure Policy page. 分配即为在特定范围内分配策略以供执行。An assignment is a policy that has been assigned to take place within a specific scope.

    从“策略概述”页选择“分配”

  3. 在“策略 - 分配”页的顶部选择“分配策略” 。Select Assign Policy from the top of the Policy - Assignments page.

    从“分配”页分配策略

  4. 在“分配策略”页和“基本信息”选项卡上,通过选择省略号并选择管理组或订阅,选择“范围” 。On the Assign Policy page and Basics tab, select the Scope by selecting the ellipsis and selecting either a management group or subscription. 或者,请选择一个资源组。Optionally, select a resource group. 范围用于确定对其强制执行策略分配的资源或资源组。A scope determines what resources or grouping of resources the policy assignment gets enforced on. 然后在“范围”页的底部选择“选择”。 Then select Select at the bottom of the Scope page.

    此示例使用 Contoso 订阅 。This example uses the Contoso subscription. 你的订阅将有所不同。Your subscription will differ.

  5. 可基于“范围”排除资源 。Resources can be excluded based on the Scope. “排除”从低于“范围”级别的一个级别开始 。Exclusions start at one level lower than the level of the Scope. “排除”是可选的,因此暂时将其留空 。Exclusions are optional, so leave it blank for now.

  6. 选择“策略定义”旁边的省略号打开可用定义的列表。 Select the Policy definition ellipsis to open the list of available definitions. 可以使用“内置”来筛选策略定义的类型,以查看所有相关策略定义及其说明。 You can filter the policy definition Type to Built-in to view all and read their descriptions.

  7. 选择“在资源上添加或替换标记”。 Select Add or replace a tag on resources. 如果不能立即找到它,请在搜索框中键入“添加或替换”,然后按 ENTER 或者选择搜索框的外部。 If you can't find it right away, type add or replace into the search box and then press ENTER or select out of the search box. 找到并选择策略定义后,选择“可用定义”页底部的“选择”。 Select Select at the bottom of the Available Definitions page once you have found and selected the policy definition.

    使用搜索筛选器来查找策略

  8. “分配名称”中自动填充了所选的策略名称,但可以更改它。 The Assignment name is automatically populated with the policy name you selected, but you can change it. 对于此示例,请保留“在资源上添加或替换标记”。 For this example, leave Add or replace a tag on resources. 还可根据需要添加“说明” 。You can also add an optional Description. 该说明提供有关此策略分配的详细信息。The description provides details about this policy assignment.

  9. 让“策略强制”保持“启用”状态。 Leave Policy enforcement as Enabled. 禁用时,此设置允许测试策略的结果,而不触发效果。 When Disabled, this setting allows testing the outcome of the policy without triggering the effect. 有关详细信息,请参阅强制模式For more information, see enforcement mode.

  10. 系统会根据登录的用户自动填充“分配者”。 Assigned by is automatically filled based on who is logged in. 此字段是可选字段,因此可输入自定义值。This field is optional, so custom values can be entered.

  11. 选择向导顶部的“参数”选项卡。 Select the Parameters tab at the top of the wizard.

  12. 对于“标记名称” ,请输入“环境” ;对于“标记值”,请输入“开发”。 For Tag Name, enter Environment and for Tag Value enter Dev.

  13. 选择向导顶部的“修正”选项卡。 Select the Remediation tab at the top of the wizard.

  14. 让“创建修正任务”处于取消选中状态。 Leave Create a remediation task unchecked. 使用此框可以创建一个任务来更改现有资源以及新资源或更新的资源。This box allows you to create a task to alter existing resources in addition to new or updated resources. 有关详细信息,请参阅修正资源For more information, see remediate resources.

  15. 系统会自动勾选“创建托管标识”, 因为此策略定义使用 modify 效果。Create a Managed Identity is automatically checked since this policy definition uses the modify effect. 系统会根据策略定义自动将“权限”设置为“参与者”。 Permissions is set to Contributor automatically based on the policy definition. 有关详细信息,请参阅托管标识修正安全性工作原理For more information, see managed identities and how remediation security works.

  16. 选择向导顶部的“查看 + 创建”选项卡。 Select the Review + create tab at the top of the wizard.

  17. 查看选项,然后在页面底部选择“创建” 。Review your selections, then select Create at the bottom of the page.

实施新的自定义策略Implement a new custom policy

分配内置的策略定义后,可以使用 Azure Policy 执行其他操作。Now that you've assigned a built-in policy definition, you can do more with Azure Policy. 接下来创建一个新的自定义策略,确保在环境中创建的 VM 不能处于 G 系列,以便节省成本。Next, create a new custom policy to save costs by validating that VMs created in your environment can't be in the G series. 这样,当组织中的用户每次尝试创建 G 系列的 VM 时,请求将被拒绝。This way, every time a user in your organization tries to create VM in the G series, the request is denied.

  1. 选择“Azure Policy”页左侧“创作”下的“定义” 。Select Definitions under Authoring in the left side of the Azure Policy page.

    “创作”组下的定义页

  2. 选择页面顶部的“+ 策略定义”。 Select + Policy definition at the top of the page. 此按钮会打开“策略定义”页。 This button opens to the Policy definition page.

  3. 输入以下信息:Enter the following information:

    • 策略定义保存到的管理组或订阅。The management group or subscription in which the policy definition is saved. 使用“定义位置”旁边的省略号进行选择。 Select by using the ellipsis on Definition location.

      Note

      若要将此策略定义应用到多个订阅,则位置必须是策略要分配到的订阅所在的管理组。If you plan to apply this policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to. 对于计划定义,也需要确保这一点。The same is true for an initiative definition.

    • 策略定义的名称 - _*需要 VM SKU 小于 G 系列 The name of the policy definition - _*Require VM SKUs smaller than the G series

    • 想通过策略定义实现的操作的说明 - 此策略定义强制此范围中创建的所有 VM 具有的 SKU 都小于 G 系列,以减少成本。 The description of what the policy definition is intended to do – This policy definition enforces that all VMs created in this scope have SKUs smaller than the G series to reduce cost.

    • 从现有的选项(例如“计算” )中选择,或者为此策略定义创建新的类别。Choose from existing options (such as Compute), or create a new category for this policy definition.

    • 复制以下 JSON 代码并根据需要进行更新:Copy the following JSON code and then update it for your needs with:

      • 策略参数。The policy parameters.
      • 策略规则/条件,此示例中为 - VM SKU 大小等于 G 系列The policy rules/conditions, in this case – VM SKU size equal to G series
      • 策略效果,此示例中为“拒绝” 。The policy effect, in this case – Deny.

    JSON 应如下所示。Here's what the JSON should look like. 将修改后的代码粘贴到 Azure 门户。Paste your revised code into the Azure portal.

    {
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Compute/virtualMachines"
                    },
                    {
                        "field": "Microsoft.Compute/virtualMachines/sku.name",
                        "like": "Standard_G*"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    }
    

    策略规则中的 field 属性必须是支持的值。The field property in the policy rule must be a supported value. 可以在策略定义结构字段上找到值的完整列表。A full list of values is found on policy definition structure fields. 例如,别名为 "Microsoft.Compute/VirtualMachines/Size"An example of an alias might be "Microsoft.Compute/VirtualMachines/Size".

    若要查看其他 Azure Policy 示例,请参阅 Azure Policy 示例To view more Azure policy samples, see Azure Policy samples.

  4. 选择“保存” 。Select Save.

使用 REST API 创建策略定义Create a policy definition with REST API

可通过适用于 Azure Policy 定义的 REST API 来创建策略。You can create a policy with the REST API for Azure Policy Definitions. REST API 可让你创建和删除策略定义,以及获取现有定义的信息。The REST API enables you to create and delete policy definitions, and get information about existing definitions. 若要创建策略定义,请使用以下示例:To create a policy definition, use the following example:

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.authorization/policydefinitions/{policyDefinitionName}?api-version={api-version}

包括类似于以下示例的请求正文:Include a request body similar to the following example:

{
    "properties": {
        "parameters": {
            "allowedLocations": {
                "type": "array",
                "metadata": {
                    "description": "The list of locations that can be specified when deploying resources",
                    "strongType": "location",
                    "displayName": "Allowed locations"
                }
            }
        },
        "displayName": "Allowed locations",
        "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
        "policyRule": {
            "if": {
                "not": {
                    "field": "location",
                    "in": "[parameters('allowedLocations')]"
                }
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

使用 PowerShell 创建策略定义Create a policy definition with PowerShell

在继续完成 PowerShell 示例之前,请确保已安装最新版本的 Azure PowerShell Az 模块。Before proceeding with the PowerShell example, make sure you've installed the latest version of the Azure PowerShell Az module.

可以使用 New-AzPolicyDefinition cmdlet 创建策略定义。You can create a policy definition using the New-AzPolicyDefinition cmdlet.

要在文件中创建策略定义,请将路径传递给该文件。To create a policy definition from a file, pass the path to the file. 对于外部文件,请使用以下示例:For an external file, use the following example:

$definition = New-AzPolicyDefinition `
    -Name 'denyCoolTiering' `
    -DisplayName 'Deny cool access tiering for storage' `
    -Policy 'https://raw.githubusercontent.com/Azure/azure-policy-samples/master/samples/Storage/storage-account-access-tier/azurepolicy.rules.json'

对于本地文件,请使用以下示例:For a local file use, use the following example:

$definition = New-AzPolicyDefinition `
    -Name 'denyCoolTiering' `
    -Description 'Deny cool access tiering for storage' `
    -Policy 'c:\policies\coolAccessTier.json'

要使用内联规则创建策略定义,请使用以下示例:To create a policy definition with an inline rule, use the following example:

$definition = New-AzPolicyDefinition -Name 'denyCoolTiering' -Description 'Deny cool access tiering for storage' -Policy '{
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
            },
            {
                "field": "kind",
                "equals": "BlobStorage"
            },
            {
                "field": "Microsoft.Storage/storageAccounts/accessTier",
                "equals": "cool"
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}'

输出存储在 $definition 对象中,会在策略分配过程中使用该对象。The output is stored in a $definition object, which is used during policy assignment. 以下示例创建包含参数的策略定义:The following example creates a policy definition that includes parameters:

$policy = '{
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
            },
            {
                "not": {
                    "field": "location",
                    "in": "[parameters(''allowedLocations'')]"
                }
            }
        ]
    },
    "then": {
        "effect": "Deny"
    }
}'

$parameters = '{
    "allowedLocations": {
        "type": "array",
        "metadata": {
            "description": "The list of locations that can be specified when deploying storage accounts.",
            "strongType": "location",
            "displayName": "Allowed locations"
        }
    }
}'

$definition = New-AzPolicyDefinition -Name 'storageLocations' -Description 'Policy to specify locations for storage accounts.' -Policy $policy -Parameter $parameters

使用 PowerShell 查看策略定义View policy definitions with PowerShell

若要查看订阅中的所有策略定义,请运行以下命令:To see all policy definitions in your subscription, use the following command:

Get-AzPolicyDefinition

此命令可返回所有可用的策略定义,包括内置策略。It returns all available policy definitions, including built-in policies. 返回的每个策略的格式如下:Each policy is returned in the following format:

Name               : e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceId         : /providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceName       : e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceType       : Microsoft.Authorization/policyDefinitions
Properties         : @{displayName=Allowed locations; policyType=BuiltIn; description=This policy enables you to
                     restrict the locations your organization can specify when deploying resources. Use to enforce
                     your geo-compliance requirements.; parameters=; policyRule=}
PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c

使用 Azure CLI 创建策略定义Create a policy definition with Azure CLI

可以将 Azure CLI 与 az policy definition 命令结合使用来创建策略定义。You can create a policy definition using Azure CLI with the az policy definition command. 要使用内联规则创建策略定义,请使用以下示例:To create a policy definition with an inline rule, use the following example:

az policy definition create --name 'denyCoolTiering' --description 'Deny cool access tiering for storage' --rules '{
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.Storage/storageAccounts"
            },
            {
                "field": "kind",
                "equals": "BlobStorage"
            },
            {
                "field": "Microsoft.Storage/storageAccounts/accessTier",
                "equals": "cool"
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}'

使用 Azure CLI 查看策略定义View policy definitions with Azure CLI

若要查看订阅中的所有策略定义,请运行以下命令:To see all policy definitions in your subscription, use the following command:

az policy definition list

此命令可返回所有可用的策略定义,包括内置策略。It returns all available policy definitions, including built-in policies. 返回的每个策略的格式如下:Each policy is returned in the following format:

{
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
    "displayName": "Allowed locations",
    "id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
    "name": "e56962a6-4747-49cd-b67b-bf8b01975c4c",
    "policyRule": {
        "if": {
            "not": {
                "field": "location",
                "in": "[parameters('listOfAllowedLocations')]"
            }
        },
        "then": {
            "effect": "Deny"
        }
    },
    "policyType": "BuiltIn"
}

创建并分配计划定义Create and assign an initiative definition

通过计划定义,可以组合某些策略定义以实现首要目标。With an initiative definition, you can group several policy definitions to achieve one overarching goal. 计划对分配范围内的资源进行评估,以确定其是否符合所包括的策略。An initiative evaluates resources within scope of the assignment for compliance to the included policies. 有关计划定义的详细信息,请参阅 Azure Policy 概述For more information about initiative definitions, see Azure Policy overview.

创建计划定义Create an initiative definition

  1. 选择“Azure Policy”页左侧“创作”下的“定义” 。Select Definitions under Authoring in the left side of the Azure Policy page.

    从“定义”页选择定义

  2. 选择页面顶部的“+ 计划定义”打开“计划定义”页。 Select + Initiative Definition at the top of the page to open the Initiative definition page.

    查看计划定义页

  3. 使用“定义位置”旁边的省略号选择用于存储定义的管理组或订阅。 Use the Definition location ellipsis to select a management group or subscription to store the definition. 如果上一页范围仅限于单个管理组或订阅,将自动填充“定义位置” 。If the previous page was scoped to a single management group or subscription, Definition location is automatically populated. 选中后,“可用定义”会被填充 。Once selected, Available Definitions is populated.

  4. 输入计划的“名称”和“说明”。 Enter the Name and Description of the initiative.

    此示例验证资源是否符合有关保证安全的策略定义。This example validates that resources are in compliance with policy definitions about getting secure. 将计划命名为“保证安全”,并将说明设置为: 创建此计划的目的是处理所有与保护资源相关的策略定义Name the initiative Get Secure and set the description as: This initiative has been created to handle all policy definitions associated with securing resources.

  5. 对于“类别”,请从现有的选项中选择,或者创建新类别。 For Category, choose from existing options or create a new category.

  6. 浏览“可用定义”的列表(在“计划定义”页的右半部分),然后选择要添加到此计划的策略定义。 Browse through the list of Available Definitions (right half of Initiative definition page) and select the policy definition(s) you would like to add to this initiative. 对于“保证安全”计划,请选择策略定义信息旁边的 + ,或选择策略定义行并选择详细信息页中的“+ 添加”选项,来添加以下内置策略定义: For the Get Secure initiative, add the following built-in policy definitions by selecting the + next to the policy definition information or selecting a policy definition row and then the + Add option in the details page:

    • 允许的位置Allowed locations
    • 监视 Azure 安全中心 Endpoint Protection 的缺失情况Monitor missing Endpoint Protection in Azure Security Center
    • 应该强化面向 Internet 的虚拟机的网络安全组规则Network Security Group Rules for Internet facing virtual machines should be hardened
    • 应为虚拟机启用 Azure 备份Azure Backup should be enabled for Virtual Machines
    • 应在虚拟机上应用磁盘加密Disk encryption should be applied on virtual machines

    从列表中选择策略定义后,会将其添加到“类别”下面 。After selecting the policy definition from the list, each is added below Category.

    查看计划定义参数

  7. 如果要添加到计划的策略定义有参数,则这些参数会显示在“类别”区域的策略名称下 。If a policy definition being added to the initiative has parameters, they're shown under the policy name in the area under Category area. value 可以设置为“设置值”(针对此计划的所有分配进行硬编码)或“使用计划参数”(在每个计划分配期间设置)。The value can be set to either 'Set value' (hard coded for all assignments of this initiative) or 'Use Initiative Parameter' (set during each initiative assignment). 如果选择了“设置值”,则“值” 右侧的下拉列表允许输入或选择值。If 'Set value' is selected, the drop-down to the right of Value(s) allows entering or selecting the value(s). 如果选择了“使用计划参数”,则会显示新的“计划参数”部分,用于定义将要在计划分配期间设置的参数 。If 'Use Initiative Parameter' is selected, a new Initiative parameters section is displayed allowing you to define the parameter that is set during initiative assignment. 此计划参数的允许值可能会进一步限制能够在计划分配期间设置的内容。The allowed values on this initiative parameter can further restrict what may be set during initiative assignment.

    更改允许的值中的计划定义参数

    Note

    在使用某些 strongType 参数时,不能自动确定值的列表。In the case of some strongType parameters, the list of values cannot be automatically determined. 在这种情况下,会在参数行的右侧显示省略号。In these cases, an ellipsis appears to the right of the parameter row. 选择它会打开“参数范围(<参数名称>)”页。Selecting it opens the 'Parameter scope (<parameter name>)' page. 在此页中,选择用于提供值选项的订阅。On this page, select the subscription to use for providing the value options. 此参数范围仅在创建计划定义过程中使用,对策略评估或分配后的计划范围没有影响。This parameter scope is only used during creation of the initiative definition and has no impact on policy evaluation or the scope of the initiative when assigned.

    将“允许的位置”参数设为“中国东部 2”,并将其他参数保留为默认值“AuditifNotExists”。Set the 'Allowed locations' parameter to 'China East 2' and leave the others as the default 'AuditifNotExists'.

  8. 选择“保存” 。Select Save.

使用 Azure CLI 创建策略计划定义Create a policy initiative definition with Azure CLI

可以将 Azure CLI 与 az policy set-definition 命令结合使用来创建策略计划定义。You can create a policy initiative definition using Azure CLI with the az policy set-definition command. 若要使用现有的策略定义创建策略计划定义,请使用以下示例:To create a policy initiative definition with an existing policy definition, use the following example:

az policy set-definition create -n readOnlyStorage --definitions '[
        {
            "policyDefinitionId": "/subscriptions/mySubId/providers/Microsoft.Authorization/policyDefinitions/storagePolicy",
            "parameters": { "storageSku": { "value": "[parameters(\"requiredSku\")]" } }
        }
    ]' \
    --params '{ "requiredSku": { "type": "String" } }'

使用 Azure PowerShell 创建策略计划定义Create a policy initiative definition with Azure PowerShell

可以将 Azure PowerShell 与 New-AzPolicySetDefinition cmdlet 结合使用来创建策略计划定义。You can create a policy initiative definition using Azure PowerShell with the New-AzPolicySetDefinition cmdlet. 若要使用现有的策略定义创建策略计划定义,请使用 VMPolicySet.json 形式的以下策略计划定义文件:To create a policy initiative definition with an existing policy definition, use the following policy initiative definition file as VMPolicySet.json:

[
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498",
        "parameters": {
            "tagName": {
                "value": "Business Unit"
            },
            "tagValue": {
                "value": "Finance"
            }
        }
    },
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf"
    }
]
New-AzPolicySetDefinition -Name 'VMPolicySetDefinition' -Metadata '{"category":"Virtual Machine"}' -PolicyDefinition C:\VMPolicySet.json

分配计划定义Assign an initiative definition

  1. 选择“Azure Policy”页左侧“创作”下的“定义” 。Select Definitions under Authoring in the left side of the Azure Policy page.

  2. 找到前面创建的“保证安全”计划定义并选择它。 Locate the Get Secure initiative definition you previously created and select it. 选择页面顶部的“分配”,打开“保证安全: 分配计划”页。Select Assign at the top of the page to open to the Get Secure: Assign initiative page.

    从计划定义页分配定义

    也可右键单击选定的行,或者选择上下文菜单行末尾处的省略号。You can also right-click on the selected row or select the ellipsis at the end of the row for a contextual menu. 然后选择“分配”。 Then select Assign.

    计划的备用选项

  3. 输入以下示例信息,填充“保证安全: 分配计划”页。Fill out the Get Secure: Assign Initiative page by entering the following example information. 可以使用自己的信息。You can use your own information.

    • 范围:在其中保存计划的管理组或订阅变为默认。Scope: The management group or subscription you saved the initiative to becomes the default. 可以更改范围,以将计划分配到保存位置中的某个订阅或资源组。You can change scope to assign the initiative to a subscription or resource group within the save location.
    • 排除项:配置上述范围内的任何资源,以防止向其应用计划分配。Exclusions: Configure any resources within the scope to prevent the initiative assignment from being applied to them.
    • 计划定义和分配名称:“保证安全”(预先填充了所分配计划的名称)。Initiative definition and Assignment name: Get Secure (pre-populated as name of initiative being assigned).
    • 说明:此计划分配旨在实施这组策略定义。Description: This initiative assignment is tailored to enforce this group of policy definitions.
    • 策略强制:保留默认值“启用”。 Policy enforcement: Leave as the default Enabled.
    • 分配者:根据登录的用户自动填充。Assigned by: Automatically filled based on who is logged in. 此字段是可选字段,因此可输入自定义值。This field is optional, so custom values can be entered.
  4. 选择向导顶部的“参数”选项卡。 Select the Parameters tab at the top of the wizard. 如果在前面的步骤中配置了计划参数,请在此处设置一个值。If you configured an initiative parameter in previous steps, set a value here.

  5. 选择向导顶部的“修正”选项卡。 Select the Remediation tab at the top of the wizard. 不选中“创建托管标识” 。Leave Create a Managed Identity unchecked. 当分配的策略或计划包含具有 deployIfNotExistsmodify 效果的策略时,必须勾选此框 。This box must be checked when the policy or initiative being assigned includes a policy with the deployIfNotExists or modify effects. 本教程所使用的策略不属于这种情况,因此请将其留空。As the policy used for this tutorial doesn't, leave it blank. 有关详细信息,请参阅托管标识修正安全性工作原理For more information, see managed identities and how remediation security works.

  6. 选择向导顶部的“查看 + 创建”选项卡。 Select the Review + create tab at the top of the wizard.

  7. 查看选项,然后在页面底部选择“创建” 。Review your selections, then select Create at the bottom of the page.

检查初始符合性Check initial compliance

  1. 选择“Azure Policy”页左侧的“符合性” 。Select Compliance in the left side of the Azure Policy page.

  2. 找到“保证安全” 计划。Locate the Get Secure initiative. 可能仍处于“未启动”符合性状态 。It's likely still in Compliance state of Not started. 选择计划,获取有关分配进度的完整详细信息。Select the initiative to get full details on the progress of the assignment.

    计划符合性页 - 评估未启动

  3. 完成计划分配后,符合性页会更新为“符合”符合性状态 。Once the initiative assignment has been completed, the compliance page is updated with the Compliance state of Compliant.

    计划符合性页 - 资源符合性

  4. 选择计划符合性页上的任何策略均可打开该策略的符合性详细信息页。Selecting any policy on the initiative compliance page opens the compliance details page for that policy. 此页提供符合性的资源级别详细信息。This page provides details at the resource level for compliance.

使用“排除”豁免不符合或遭拒绝的资源Exempt a non-compliant or denied resource using Exclusion

分配一项要求使用特定位置的策略计划之后,系统会拒绝在其他位置创建的任何资源。After assigning a policy initiative to require a specific location, any resource created in a different location is denied. 本部分介绍如何通过创建单个资源组中的排除项,来解决拒绝创建资源的请求的问题。In this section, you walk through resolving a denied request to create a resource by creating an exclusion on a single resource group. 该排除项可防止对该资源组实施策略(或计划)。The exclusion prevents enforcement of the policy (or initiative) on that resource group. 在以下示例中,允许在排除的资源组中使用任何位置。In the following example, any location is allowed in the excluded resource group. 可对订阅、资源组或单个资源应用排除。An exclusion can apply to a subscription, a resource group, or an individual resources.

可在部署所针对的资源组中查看被分配的策略或计划阻止的部署:选择页面左侧的“部署”,然后选择失败部署的“部署名称”。 Deployments prevented by an assigned policy or initiative can be viewed on the resource group targeted by the deployment: Select Deployments in the left side of the page, then select the Deployment Name of the failed deployment. 随后将会列出带有“禁止”状态的被拒绝资源 。The resource that was denied is listed with a status of Forbidden. 若要确定拒绝该资源的策略或计划和分配,请在“部署概述”页上选择“失败。 单击此处了解详细信息 ->”。To determine the policy or initiative and assignment that denied the resource, select Failed. Click here for details -> on the Deployment Overview page. 页面右侧会打开一个窗口,其中显示了错误信息。A window opens on the right side of the page with the error information. “错误详细信息”下显示了相关策略对象的 GUID 。Under Error Details are the GUIDs of the related policy objects.

策略分配拒绝的部署

在“Azure Policy”页上:选择页面左侧的“符合性”,然后选择“保证安全”策略计划。 On the Azure Policy page: Select Compliance in the left side of the page and select the Get Secure policy initiative. 在此页上,被阻止的资源的“拒绝” 计数增加。On this page, there is an increase in the Deny count for blocked resources. 在“事件”选项卡下,详述了谁尝试创建或部署已按策略定义拒绝的资源。 Under the Events tab are details about who tried to create or deploy the resource that was denied by the policy definition.

分配策略的符合性概述

在此示例中,Contoso 的资深虚拟化专家之一 Trent Baker 执行了所需的工作。In this example, Trent Baker, one of Contoso's Sr. Virtualization specialists, was doing required work. 我们需要为 Trent 提供例外空间。We need to grant Trent a space for an exception. 创建新资源组 LocationsExcluded 后,接下来将其指定为此策略分配的例外项。Created a new resource group, LocationsExcluded, and next grant it an exception to this policy assignment.

使用排除项更新分配Update assignment with exclusion

  1. 在“Azure Policy”页左侧的“创作”下选择“分配” 。Select Assignments under Authoring in the left side of the Azure Policy page.

  2. 浏览所有策略分配并打开“保证安全” 策略分配。Browse through all policy assignments and open the Get Secure policy assignment.

  3. 设置“排除项”:选择省略号并选择要排除的资源组(在本示例中为 LocationsExcluded)。 Set the Exclusion by selecting the ellipsis and selecting the resource group to exclude, LocationsExcluded in this example. 选择“添加到所选范围”,然后选择“保存” 。Select Add to Selected Scope and then select Save.

    向策略分配添加排除的资源组

    Note

    根据策略定义及其效果,也可以将排除项指定为分配范围内某个资源组中的特定资源。Depending on the policy definition and its effect, the exclusion could also be granted to specific resources within a resource group inside the scope of the assignment. 由于本教程使用了“拒绝”效果,对已存在的特定资源设置排除项没有意义。 As a Deny effect was used in this tutorial, it wouldn't make sense to set the exclusion on a specific resource that already exists.

  4. 选择“查看 + 保存”,然后选择“保存” 。Select Review + save and then select Save.

本部分介绍如何通过创建单个资源组中的排除项,来解决请求被拒绝的问题。In this section, you resolved the denied request by creating an exclusion on a single resource group.

清理资源Clean up resources

如果今后不再使用本教程中的资源,请使用以下步骤删除前面创建的所有策略分配或定义:If you're done working with resources from this tutorial, use the following steps to delete any of the policy assignments or definitions created above:

  1. 在“Azure Policy”页左侧的“创作”下选择“定义”(如果尝试删除分配,则选择“分配”) 。Select Definitions (or Assignments if you're trying to delete an assignment) under Authoring in the left side of the Azure Policy page.

  2. 搜索要删除的新计划或策略定义(或分配)。Search for the new initiative or policy definition (or assignment) you want to remove.

  3. 右键单击定义(或分配)对应的行或选择其末尾的省略号,然后选择“删除定义”(或“删除分配”)。 Right-click the row or select the ellipses at the end of the definition (or assignment), and select Delete definition (or Delete assignment).

审阅Review

在本教程中,你已成功完成以下任务:In this tutorial, you successfully accomplished the following tasks:

  • 分配策略,对将来创建的资源强制执行条件Assigned a policy to enforce a condition for resources you create in the future
  • 创建并分配计划定义,跟踪多个资源的符合性Created and assign an initiative definition to track compliance for multiple resources
  • 解决不符合或遭拒绝的资源Resolved a non-compliant or denied resource
  • 在组织中实施新策略Implemented a new policy across an organization

后续步骤Next steps

若要了解有关策略定义结构的详细信息,请查看以下文章:To learn more about the structures of policy definitions, look at this article: