How can you remediate non-compliant resources with Azure Policy?

Experience Level: Senior
Tags: Azure CloudAzure Policy

Answer

Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.

When Azure Policy runs the template in the deployIfNotExists policy definition, it does so using a managed identity. Azure Policy creates a managed identity for each assignment, but must have details about what roles to grant the managed identity. If the managed identity is missing roles, an error is displayed during the assignment of the policy or an initiative. When using the portal, Azure Policy automatically grants the managed identity the listed roles once assignment starts. When using SDK, the roles must manually be granted to the managed identity. The location of the managed identity doesn't impact its operation with Azure Policy.

During evaluation, the policy assignment with deployIfNotExists or modify effects determines if there are non-compliant resources or subscriptions. When non-compliant resources or subscriptions are found, the details are provided on the Remediation page. Along with the list of policies that have non-compliant resources or subscriptions is the option to trigger a remediation task. This option is what creates a deployment from the deployIfNotExists template or the modify operations.

To create a remediation task, follow these steps:

Launch the Azure Policy service in the Azure portal by selecting All services, then searching for and selecting Policy.
Select Remediation on the left side of the Azure Policy page.
All deployIfNotExists and modify policy assignments with non-compliant resources are included on the Policies to remediate tab and data table. Select on a policy with resources that are non-compliant. The New remediation task page opens.
On the New remediation task page, filter the resources to remediate by using the Scope ellipses to pick child resources from where the policy is assigned (including down to the individual resource objects). Additionally, use the Locations dropdown list to further filter the resources. Only resources listed in the table will be remediated.
Begin the remediation task once the resources have been filtered by selecting Remediate. The policy compliance page opens to the Remediation tasks tab to show the state of the tasks progress. Deployments created by the remediation task begin right away.
elect on the remediation task from the policy compliance page to get details about the progress. The filtering used for the task is shown along with a list of the resources being remediated.

From the Remediation task page, select and hold (or right-click) on a resource to view either the remediation task's deployment or the resource. At the end of the row, select on Related events to see details such as an error message.

Related Azure Cloud job interview questions

Comments

No Comments Yet.
Be the first to tell us what you think.
Azure Policy
Azure Policy

Are you learning Azure Cloud ? Try our test we designed to help you progress faster.

Test yourself
AZ-304 Microsoft Azure Architect Design Preparation
AZ-304 Microsoft Azure Architect Design Preparation

Are you learning Azure Cloud ? Try our test we designed to help you progress faster.

Test yourself