ZüriSoft

Start Smart: Azure Policy for Your First Azure Setup

How Azure Policy adds guard-rails to a brand-new Azure subscription before sprawl sets in.

Let Azure Policy Run Point for Your First Azure Setup 🛡️

Spinning up a brand-new Azure subscription feels wonderfully clean: empty resource groups, a tidy virtual network, and costs still sitting at CHF 0. Then real life happens. A teammate launches a quick demo VM in East US, a test database never gets a backup, and the first invoice already looks unsettling.

Azure Policy brings order before the sprawl takes hold. With a small set of guard-rails you can keep every existing and future resource inside the boundaries you choose—no custom scripts, no frantic clean-up sessions.

A Quick Detour: What Azure Policy Is (and Isn't)

Think of Azure Policy as a tireless referee who knows the rules you write and enforces them in real time.
It doesn't block network traffic like a firewall, and it doesn't collect metrics like a monitoring tool.
Instead, it sentences every resource to a rapid-fire quiz:

"Are you in the approved region list?"
"Do you carry the mandatory cost-centre tag?"
"Have you enabled daily backup?"

If the answer is yes, Azure Policy waves the resource through.
If it's no, it can respond in three flavours:

  • Audit – log the offence so you'll see it on the compliance dashboard.
  • Deny – stop the deployment before it lands.
  • Modify/DeployIfNotExists – quietly fix the problem on the spot (for example, adding that missing tag).

And every few hours, the engine loops back over everything you've already built, looking for drift you didn't even notice. It's governance that never sleeps—while you finally can.

Turning Red into Green—Your First Afternoon with Policy

Back in our small setup, the first experiment is as easy as opening the Built-in Policies gallery and selecting "Allowed locations". The second you click Assign, any non-Swiss resource turns the compliance dashboard bright red.
One click later you run Remediation and watch Azure migrate compliant resources or flag the ones that need human love.

You have not written a single line of code, yet the estate now has guard-rails.
Better still: you can print that dashboard, drop it in a slide deck, and show your boss concrete proof that the cloud is under control.

When Rules Meet Reality: The Power of Exemptions

Of course, real life loves edge cases. Say an old finance system only works on a deprecated VM SKU you just banned.
Deleting the policy would unravel your progress—but leaving the VM non-compliant clutters the dashboard.

The elegant middle path is an exemption: a tiny JSON object that grants a resource a temporary waiver until, for instance, December 31st. It records why the waiver exists and who owns the fix, then re-enforces the rule automatically when the date arrives.

New Tricks from Build 2025

Microsoft keeps sharpening the tool. At Build 2025 they previewed user-scoped exemptions and caller-type rules. Soon you'll be able to let developers self-grant a short waiver for a proof of concept without opening the flood-gates for every resource.

Even better, SSH Posture Control has just hit General Availability. Two built-in policies can now audit—and, if you choose, harden—every Linux VM's sshd configuration, including machines connected via Azure Arc. In practice that means password authentication can be banned and key-based login enforced across the fleet in minutes.

Living with Policy Day to Day

Once you've tasted always-on compliance, it's hard to go back. Each new tag you mandate or backup you enforce becomes another layer of quiet protection. Policy generates a steady rhythm:

  • Deploy a rule in audit mode,
  • observe what would break,
  • flip to deny once you're sure.

Because evaluations run continuously, any drift is caught early, long before it morphs into a costly incident.

The Take-Away

For a basic Azure setup, you don't need armies of scripts or expensive third-party tools to stay organised.
Start with Azure Policy's built-ins, let the dashboard guide your clean-up, and add exemptions instead of exceptions. As your environment grows, the same engine will scale with you—picking up new capabilities like SSH hardening and user-specific waivers along the way.

Cloud sprawl solved, invoices tamed, auditors impressed—all in the time it takes to drink a coffee.

References

  1. Microsoft Learn – Azure Policy overview
  2. Microsoft Learn – Policy exemption structure
  3. Microsoft Tech Community – Everything New in Azure Governance
  4. Microsoft Tech Community – SSH Posture Control for Linux is now GA!

About the Author

Zurisoft Team is a contributor to the ZüriSoft blog.

SharePrint