Inside Azure Management Sessions now on YouTube

I recently presented at the Inside Azure management event. This event was packed full of Microsoft MVP’s and community experts from around the world. The focus on the event was around Azure Management based topics with some Kubernetes, AI, and DevOps topics sprinkled in.

My session was “Azure Policy Insights & Multi-Tag demo via Azure Policy” Here is what it covered: “Azure Policy is a great tool when it comes to auditing and ensuring your cloud governance is met. In this session 9 time Microsoft Azure MVP Steve Buchanan is going to take you on a full-speed ride on the ins and outs of Azure Policy and land you with a recipe for handling a multi-tagging strategy with Azure Policy. Some of the key topics you will learn from this session include:

  • Overview of Azure Policy
  • Azure Policy Configuration best practices to meet compliance (NIST, PCI, ISO, HIPPA)
  • Securing Azure services: AKS / Networking / SQL / App Service
  • Azure Policy vs RBAC
  • Overview of Azure Policy Guest Configuration
  • Tagging and more

The event has passed and if you didn’t make it no worries! All of the sessions have been recorded and uploaded to the Inside Azure management YouTube channel to be watched at your leisure. Here is the link to the YouTube channel where you can watch all the sessions:

https://bit.ly/azurevideos

The event coordinators have also set up some Youtube playlists to make it easier to find videos on the topics that pertain to you. They broke these out in the following categories: Azure Management, Artificial Intelligence in Azure, Cloud Governance, Cybersecurity, and DevOps.

You can watch my session right here:

Also here is the direct link to the video of my session on YouTube: https://youtu.be/EfAiITcExK0

Thanks for checking out my session and others from this event. Stay tuned to my blog for info on where I will be speaking next!

Read more

Speaking at Inside Azure Management Summit

I was recently added to the speaker lineup for the “Inside  Azure Management Summit” happening on 7/23/2020. This event is a FREE 1-day virtual event. It features the Microsoft cloud experts from the authoring team of “Inside Azure Management” book, Microsoft MVP’s, and community experts from around the world.

Attendees will get a day full of deep-dive technical sessions across a variety of Microsoft cloud topics including:

  • DevOps and Automation
  • Cyber Security
  • Cloud Governance
  • Migration and Monitoring
  • Docker and Kubernetes
  • AI and Identity

The sessions will span a 13-hr period to allow audiences from around the world to join a portion of the event.

 I will be giving a session on Azure Policy. Here is my session info:

Session Title:

Azure Policy Insights & Multi-Tag demo via Azure Policy

 

Session Abstract:

Azure Policy is a great tool when it comes to auditing and ensuring your cloud governance is met. In this session 9 time Microsoft Azure MVP Steve Buchanan is going to take you on a full-speed ride on the ins and outs of Azure Policy and land you with a recipe for handling a multi-tagging strategy with Azure Policy. Some of the key topics you will learn from this session include:

  • Overview of Azure Policy
  • Azure Policy Use Cases
  • How Azure Policy can meet NIST standards
  • Azure Policy vs RBAC
  • Overview of Azure Policy Guest Configuration
  • Tagging and more

Here is the direct link to my session:

https://insideazuremgmt.com/session/azure-policy-insights-multi-tag-demo-via-azure-policy/

Be sure to register for this event to check out all the great sessions including mine on Azure Policy.

Here is the link to the official site:

https://www.insideazuremgmt.com

Here is the link to register:

https://www.eventbrite.com/e/inside-azure-management-the-virtual-summit-tickets-109230577598?aff=ebdssbeac

Read more

Azure Policy evaluation on-demand PowerShell Script

Last year I wrote a blog post on how to use the modify effect in Azure Policy to enforce multiple tags. Here is the link to that full walk-through post: https://www.buchatech.com/2019/09/walk-through-use-azure-policy-modify-effect-to-require-tags/

In that blog post, I called out an Azure Policy on-demand evaluation PowerShell script I wrote. This PowerShell script will trigger Azure Policy to run the evaluation right away so you don’t have to wait for the next time Azure Policy will run the evaluation.

This is especially helpful when you are developing Azure Policies and you want to see if they are working properly or not. You can run the on-demand evaluation PowerShell script in Azure Cloud Shell at https://shell.azure.com/.

Well, that brings us to the end of this blog post. I wanted to make a short blog post for this script so that it would be easier to find.

You can get the policy evaluation trigger script on my GitHub here: Az Policy evaluation Trigger v1.ps1

Read more

Cloud Governance, Bringing Order To Your Cloud Chaos – Podcast

Recently I was a guest on the “Day Two Cloud” podcast hosted by fellow Microsoft MVP/Pluralsight author Ned Bellavance.

We talked about how native Azure governance & management tools Azure Policy, Tagging, and Blueprints can be used to bring order to your cloud environments. Listen now here:

Check it out here:

https://packetpushers.net/podcast/day-two-cloud-033-cloud-governance-bringing-order-to-your-cloud-chaos

Read more

Master Azure with VS Code

At Experts Live Europe 2019 I presented a session titled “Master Azure with VS Code”. This was a fun session with an engaging audience that took to twitter after the session. There was some chatter asking this session was recorded. It was not. I did note that I planned to write a blog post on this topic.

Here is that blog post and it is the first one of 2020 for me! In this post, we are going to dive into how VS code is helpful when working with Azure and many extensions I find useful when working with Azure. This post is not set to be an end-all to using VS Code with Azure but from my experience. Use this post as a starting point or a reference for expanding your use of VS Code with Azure. Also, check out the many other community experts and Microsoft MVPs for their additional knowledge plus tips and tricks on this topic.

VS Code Overview

First off if you are not using VS Code stop reading this right now, go download it and install it then come back to finish reading. 🙂 VS Code is a must-have in your toolbox and it is free! For those that are new to VS Code, it is an open-source – code editor developed by Microsoft that runs on Windows, Linux, and macOS. Here is a shortlist of the many benefits of VS Code:

  • Has support for hundreds of languages.
  • Has Integrated Terminal.
  • Also powerful developer tool with functionality, like IntelliSense code completion and debugging.
  • Includes syntax highlighting, bracket-matching, auto-indentation, box-selection, snippets, and more.
  • Integrates with build and scripting tools to perform common tasks making everyday workflows faster.
  • Has support for Git to work with source control.
  • Large Extension Marketplace of third-party extensions.

Note that yes, VS Code is for the “IT Pro”. Not just developers.

Azure Extensions in VS Code

VS Code has a ton of extensions in general. There are a number of Azure specific extensions and you can work with Azure directly from VS Code.

If you go to the VS Code Marketplace here: https://marketplace.visualstudio.com/vscode and search on Azure you will see results for many published by Microsoft and many community based extensions for Azure. As of the time of writing this blog post, there are 93. Here is a screenshot showing some of the results:

You can also go directly to the Azure Tools extension from Microsoft here: 

https://marketplace.visualstudio.com/itemdetails?itemName=ms-vscode.vscode-node-azure-pack

Or the

Azure Extensions from Microsoft here:

https://code.visualstudio.com/docs/azure/extensions

In the rest of this post, I am going to share some key extensions I use with Azure. I will post the marketplace links at the end of each extension I talk about and if it is maintained by community or Microsoft.

Deploy to Azure using VS Code

It is important to note that not all of the Azure extensions available in VS Code can be used to deploy to Azure. Some can but most can’t here is a list of the services that you can deploy to from extensions in VS Code.

Azure Service Description
Azure Functions Build and manage Azure Functions serverless apps directly in VS Code with the Azure Functions extension.
App Service Manage Azure resources directly in VS Code with the Azure App Service extension.
Docker Deploy your website using a Docker container.
Azure CLI Create, deploy, and update a website using a terminal and the Azure CLI.
Static website Create, deploy, and update a static website on Azure Storage.

NOTE: This list is current at the time of writing this blog post. This will change over time.

Azure Cloud Shell in VS Code

Cloud Shell is something you should be using with Azure to make your life easier. It is an interactive command-line shell. You are authenticated to your Azure account when you launch it, It typically runs in the browser and is used for managing Azure resources. When you launch it you can choose the shell experience that best for you, either Bash or PowerShell. With VS Code you can launch Cloud Shell directly in VS Code!

Cloud Shell is a part of the Azure Account extension. Here are some key points on using Cloud Shell with VS Code:

  • Free (storage consumed has costs.)
  • Launch Azure Cloud Shell directly in VS Code.
  • Launch Bash, PowerShell, or Upload.
  • Works in the Integrated Terminal.

Azure and open-source Tooling in Cloud Shell:

Azure Tools:
blobxfer Azure CLI and Azure classic CLI Azure Functions CLI AzCopy Service Fabric CLI Batch Shipyard  
Open-Source:
Bash Terraform Packer Ansible Chef InSpec Puppet Bolt Docker Kubectl Helm DC/OS CLI iPython Client Cloud Foundry CLI

PowerShell Modules in Cloud Shell

You get the following PowerShell modules in Cloud Shell:
Azure Modules (Az.Accounts, Az.Compute, Az.Network, Az.Resources, Az.Storage)
Azure AD Management (Preview)
Exchange Online (In development)
MicrosoftPowerBIMgmt
SqlServer

Marketplace Link:

Azure Account: https://marketplace

Maintained By Microsoft

Read more

Walk-through: use Azure Policy modify effect to require tags

In my day to day I do cloud foundations work helping companies with their Azure governance and management. On projects we will develop a tagging strategy. A tagging strategy is only good if it is actually used.  One way to ensure that tags are used is by using Azure Policy to require tags on resource groups or resources.

In the past I have used the deny effect in an Azure Policy to require tags upon resource creation. I basically use the template as previously blogged about here: https://www.buchatech.com/2019/03/requiring-many-tags-on-resource-groups-via-azure-policy. This policy works but can be a problem because the error that is given when denied during deployment is not clear about what tags are required. Also, folks think it is a pain and slows down the provisioning process.

I set out to require tags using a different method. The idea was to use the effect append vs deny so that resources without the proper tags would be flagged as non-compliant and the policy would add the required tags with generic values. Someone from the cloud team could then go put in the proper values for the tags bringing the resources into compliance. Th end result was that the effect append does work remediating with a single tag but falls down when trying to remediate using multiple tags.

I discovered that this behavior was intended and that the append effect only supports one remediation action (i.e. one tag). On 9-20-19 Microsoft updated the modify effect so that Modify can handle multiple ‘operations’ – where each operation specifies what needs to be remediated.

Now let’s walk through using the modify effect in an Azure Policy to add multiple tags on a resource group.

You will need to start off by coding your Azure Policy definition template. There are three important parts you need to ensure you have in template. You need to have modify effect for the proper effect, roleDefinitionIds as this is the role that will be used by the managed identity set as contributor, and operations to tell Azure policy what to do when remediation out of compliance resources.

"effect": "modify",

and

"roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

and

 "operations": [
            {
            "operation": "addOrReplace",

Here is a screenshot of the template.

You can get the full Azure Policy definition ARM Template on my GitHub here:

Required Tags Azure Policy Modify Effect.json

Add the ARM template as a new policy definition in the Azure portal.

See the following screenshot to complete your Azure policy definition.

Click for larger image

You will then see your new Azure policy definition.

Next, you need to assign the Azure policy definition. To do this click on Assignments.

See the following screenshot to complete your Azure policy assignment.

Click for larger image

Note that this policy assignment will create a managed identity so that the policy has the ability to edit tags on existing resources.

The assignment will now be created but the evaluation has not happened so the compliance state will be set to not started as shown in the following screenshot.

Read more

Require Many Tags on Resource Groups via Azure Policy

Azure Policy can be used to enforce rules and effects on resources in your Azure subscriptions. It is a part of the Azure Governance and management toolbox native to Azure. I actually wrote a blog post all about Azure Policy here as a part of my native cloud management in azure blog series.

In this blog post I want to dig into Requiring Tags on Resource Groups via Azure Policy. There is a sample policy ARM Template to accomplish this here:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/enforce-tag-on-resource-groups . What is not clear with the this policy template is how to add an enforce additional tags within the single ARM Template. This is important as you don’t want to have multiple templates to enforce multiple tags.

Well its actually pretty straight forward. You need to add the additional tags as Rules and Parameters. For example:

{
"not": {
"field": "[concat('tags[',parameters('Environment'), ']')]",
"exists": "true"
}
},

and

"Environment": {
"type": "String",
"metadata": {
"description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod"
}
},

Be sure you add a parameter for every rule. Also in the example I gave I removed the “equals”: “[parameters(‘tagValue’)]” from the rules because I did not want to populate the tag value. I simply needed to require the tag and leave the value open for the person creating the resource to fill in. Here is the full example Policy ARM Template here:

{
  "mode": "all",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "field": "[concat('tags[',parameters('BillTo'), ']')]",
            "exists": "true"
          }
        },
        {
            "not": {
              "field": "[concat('tags[',parameters('Functional Area'), ']')]",
              "exists": "true"
            }
          },
          {
            "not": {
              "field": "[concat('tags[',parameters('Environment'), ']')]",
              "exists": "true"
            }
          },
          {
            "not": {
              "field": "[concat('tags[',parameters('AppOwner'), ']')]",
              "exists": "true"
            }
          }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "BillTo": {
      "type": "String",
      "metadata": {
        "description": "Provides a charge code or cost center to attribute the bill for the resources too. Tag value: Cost Center. Example: team@domain.com"
      }
    },
    "Functional Area": {
        "type": "String",
        "metadata": {
          "description": "Provides information on department or team is responsible for administering/supporting the application. Tag value: Team name/email. Example: 1506548"
        }
      },
      "Environment": {
        "type": "String",
        "metadata": {
          "description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod"
        }
      },
      "AppOwner": {
        "type": "String",
        "metadata": {
          "description": "The Business app owner to contact. Tag value: Business App owners’ email. Example: name@domain.com"
        }
      }
  }
}

After you create the Policy definition using the ARM template it will look like this:

When you assign the policy you will need to complete the parameters:

The next time someone deploys a resource group without the required tags in the subscription this policy is assigned to it will fail.

Thanks for reading!

Read more

Architect your Cloud with Azure Blueprints

Today as a part of the Azure Governance and management announcements at Microsoft Ignite 2018 Azure Blueprints Public Preview was announced. Azure Blueprints are a core part of the cloud governance and management story. They go hand and hand with Management Groups and will take the enterprise management story of Azure up a level. In this blog post I will take a deep dive into Azure Blueprints explaining what they are and give an example of how they can be used.

NOTE: This is a long blog post so I have also published this content as a whitepaper. The whitepaper PDF can be downloaded here.

BLUEPRINTS OVERVIEW

At a high-level Azure Blueprints help you meet organizational cloud standards, patterns, and requirements through governed subscriptions enabled and enforced by the grouping of artifacts like ARM templates, Azure policies, RBAC role assignments, and resource groups within a Blueprint.

Blueprints can be used to lay a cloud foundation, as cloud patterns, and group cloud governance frameworks. Blueprints are a one-click solution for deploying a cloud foundation, pattern, or governance framework to an Azure subscription. Think of an Azure Blueprint as re-usable design parameters for cloud that can be shared and used across an enterprise.

Azure architects typically map out and plan the many aspects of a cloud foundation for an organization such as access management, networking, storage, policy, security/compliance, naming conventions, tagging, monitoring, backup, locations, and more. Now Azure architects can step this designing a step further build these designs as Azure Blueprints and then apply them to subscriptions. The Blueprints give architects a way to orchestrate the deployment of grouped components to speed up the development and provisioning of new Azure environments ensuring they are meeting organizational compliance.

BLUEPRINTS ARE NOT AZURE POLICY

Azure policy is a service targeted to resource properties that exists or when being deployed with allow or explicit deny policies. It is used to ensure resources in an Azure subscription adhere to requirements and standards of an organization.

Azure policies can exist on their own or be a part of an Azure Blueprint. Blueprints do not replace Policy they are one of the Artifact types that make up a Blueprint.

THE MAKEUP OF A BLUEPRINT

Definition

A Blueprint consists of a Definition. The Definition is the design of what should be deployed it consists of the name of the Blueprint, the description and the Definition location. The Definition Location is the place in the Management Group hierarchy where this Blueprint Definition will be stored and determines the level assignment is allowed at. Currently you must have Contributor access to a Management Group to be able to save a Blueprint Definition to it. A Blueprint can be assigned at or below the Management Group it has set in its Definition Location. Here is a diagram to visualize Blueprint Assignment in relation to Management Group hierarchy:

Azure Blueprint Assignment

Artifacts

The Definition is where Blueprint Artifacts are added. As of right now the following is a list of the Artifact types:

  • Policy Assignments – Lets you add an Azure Policy. This can be a built-in or custom policy.
  • Role Assignments – Lets you add a user, app, or group and set the role. Only built-in roles are currently supported.
  • Azure Resource Manager templates – Lets you add an ARM Template. This does not let you import a parameters file. It does let you pre-set the parameters or set the parameters during assignment of the Blueprint.
  • Resource Groups – Lets you add a Resource Group to be created as a part of this Blueprint.

In my opinion the ARM Template artifact is the most impactful of the Blueprint artifact types because you can define such a variety of resources here. It opens the Blueprint to the power of ARM in general. Hopefully in the future we will see more scripting capability or the ability to load PowerShell scripts, runbooks, and or Functions.

There are two levels in the Artifacts. The first level is Subscription. The second level is Resource Group. Resource Group artifacts cannot be added to a Resource Group artifact. A Resource Group artifact can be created in a Subscription. An ARM Template artifact can only be created in a Resource Group artifact. A Policy Assignments or Role Assignments can be created at either the Subscription or Resource Group level.

Assignment

After a Blueprint has been built it needs to be applied. Applying a Blueprint is known as Blueprint assignment. The assignment is essentially the “what was deployed” for a Blueprint. This is how the artifacts are pushed out to Azure and used to track and audit deployments in Azure.

Sequencing

When the assignment of a Blueprint is processed the default order of resource creation is:

  • Role assignment artifacts at the Subscription level
  • Policy assignment artifacts at the Subscription level
  • Azure Resource Manager template artifacts at the Subscription level
  • Resource group artifacts and its child artifacts (role assignment, policy assignment, ARM Templates) at the Resource Group level

When a blueprint includes multiple Azure Resource Manager templates there may be a need to customize the sequencing order in which the Blueprint will deploy artifacts during assignment. You customize the artifact deployment sequence by deploying a Blueprint from an ARM Template declaring a dependency within it or declaring a dependency within an ARM Template artifact in the Blueprint. You declare a dependency using the dependsOn property in JSON. This essentially is a string array of artifact names.

Resource Locking

In cloud environments consistency is key. Naturally Azure Blueprints can also leverage resource locking in Azure. Blueprints have a Locking Mode. This Locking Mode can be applied to None or All Resources and is determined during the assignment of the Blueprint. The decision on cannot be changed later. If a locking state needs to be removed, then you must first remove the Blueprint assignment.

Some Blueprint artifacts create resources during assignment. These resources can have the following state:

  • Not Locked – Can be changed. Can be deleted.
  • Read Only – Can’t be changed and can’t be deleted.
  • Cannot Edit / Delete – Create, update, and delete within the resource group.

Artifacts that become Resource groups get the state of Cannot Edit / Delete automatically but you can create, update, and delete resources within them.

The high-level stages of an Azure Blueprint are Create it, assign it to a scope, and track it.

Anatomy of a Blueprint:

Azure Blueprint Anatomy

 

Blueprint does have a REST API. I am not covering the REST API in this blog post as I have not had the opportunity to spend much time working with it yet.

Now let’s look at building and assigning an Azure Blueprint.

BUILD A BLUEPRINT

Now I am going to give an example of building and using an Azure Blueprint in a cloud foundation mock scenario. In my mock scenario I have 3 Azure subscriptions. Each subscription should have a Core services Resource Group consisting of a core VNet with 3 subnets, an NSG for each subnet, and the web subnet should be ready for DMZ traffic. For the core VNet and any additional VNet added to the Core Services Resource Group I need network watcher deployed to it.

Each subscription also should have a core storage account and a blob storage that is ready for general storage needs. I want a tag applied to any Blueprint assignment labeling it with the assignment name, so it is easy to track. The last requirement I have is that I need the CloudOps team to automatically be owner of all core services resources. To accomplish all of this I created the following Blueprint:

Now let’s walk through the parts of creating and assigning the Blueprint. The first step is to create the Blueprint Definition.

In the basics step I give it a meaningful name and meaningful description. I set the Definition Location to the root of my Management groups. Doing this will allow me to assign this Blueprint to all 3 subscriptions in turn creating the core services RG in each subscription.

Next the Artifacts need to be added. Note that when adding an Artifact at the Subscription level you have these options as types:

The Resource Group Artifact type is only available at the subscription level and the ARM template Artifact type is only available at the Resource Group level. I added the Resource Group that the core networking and core storage will be deployed into.

Read more

Native Cloud Management in Azure

For those that know me know that I have been a System Center expert for some time focused on helping organizations manage their IT along with their ITSM needs. I have been working with Azure since it was released off and on but started to get serious about Azure after Microsoft’s move to resource manager. And even more recently I have re-focused completely to Azure and DevOps along with ITSM in the context of the cloud. I consider this combination CloudOps.

CloudOps is important when it comes to cloud and supporting DevOps. A part of CloudOps is cloud management. More specifically the tooling name for cloud management is often referred to as Cloud Management Platform (CMP).  CMP’s can be a CloudOps architect and engineers best friend or worst nightmare. There are many CMP solutions out there in the market that can be used to manage Azure and other clouds as well. Microsoft has done a nice job building and bringing in native solutions that can be used to manage Azure. The following image depicts the areas of cloud management that are in focus for Microsoft.

I am sure the plan for native cloud management will change and expand over time as Azure and its management needs continue to grow. The native set of cloud management tools in Azure can be viewed as a CMP. I am going to put together a group of blogs that at a high level cover the native solutions that exist for managing and securing Azure. There are so many areas in this topic that it has to be broken out into a blog series. This is the first time I am doing a blog series. It will cover the following:

Check back on this post soon. As I create more blog posts in this series they will be linked on the list above.

Read more

Azure Policy

A key component of cloud governance in Azure is being able to apply policies across cloud resources. In Azure, there is a  service called Azure Policy that can be used to define policies and enforce them across your cloud resources. Azure Policy can be used to create, assign and, manage, and apply policy definitions. Azure Policy can be set to just evaluate when resources are out of compliance or remediate when resources are out of compliance. These two modes are known as audit effect and deny effect.

Azure policies can be applied to Management Groups, subscriptions, or resources.

Azure Policy has been around for a while but recently it has revamped to make it enterprise ready. Azure Policy is in preview but it won’t be long before it will go GA and can be used to help manage your Azure. There is no pricing yet while Policy is in preview.

Azure Policy is not RBAC. RBAC deals with user access and user actions such as what users can access what resources and what they can do with them. Azure Policy deals with existing resources and resource properties during the deployment of them.

In Azure Policy you have something known as definitions. Definitions are essentially compliance rules that can be assigned to Azure resources. These definitions can just check to see if items are compliant or not and can enforce compliance. Definitions can be used to set conventions for resources, for example, all resources in a subscription should have a certain tag when created. Definitions are also used to evaluate something and take an action based on the result of the evaluation. A good example of this is that you could use a policy definition to evaluate if virtual machines are using managed disks or not. Azure Policies are used to help control costs and manage resources across your Azure subscriptions.

There are two types of definitions called Policy and Initiative. A Policy definition is a single definition. An Initiative definition is a group of Policy definitions. Initiative definitions are used to help achieve larger compliance need. To gain a better understanding of Initiative definitions you can look at Security Center as it leverages Initiative definitions. Security Center has a built-in Initiative definition named [Preview]: Enable Monitoring in Azure Security Center. This built-in Initiative definition for Security Center contains 13 Policy definitions related to security as shown in the following screenshot.

In Azure policy there are built-in and custom definitions. The built-in definitions have been created by Microsoft and are ready to be used to help with common needs in cloud. There are 36 built-in policy definitions today. Custom definitions are built by you. All Azure policies are JSON so writing custom polices is similar to writing ARM templates. Templates for Azure policies can be found in the Repository for Azure Resource Policy samples here: https://github.com/Azure/azure-policy. You can use these samples as a starting point when building your own. Here is an example of an Azure policies JSON:

Read more