Azure Resource Policy to Restrict ALL ASM Resources

less than 1 minute read

I needed to find a way to restrict ALL Azure Service Manager (ASM, aka Classic) resources on the subscription level. Azure Resource Policy seems to be a logical choice. So I quickly developed a very simple Policy Definition:

{
  "if": {
    "field": "type",
    "like": "Microsoft.Classic*"
  },
  "then": {
    "effect": "Deny"
  }
}

Once I have deployed the definition and assigned it to the subscription level (using PowerShell commands listed below), I could no longer deploy ASM resources:

#Set the Subscription ID
$subscriptionId = '7c6bd10f-ab0d-4a8b-9c32-548589e1142b'

Add-AzureRmAccount
Select-AzureRmSubscription -Subscription $subscriptionId

$definition = New-AzureRmPolicyDefinition -Name "restrict-all-asm-resources" -DisplayName "Restrict All ASM Resources" -description "This policy enables you to restrict ALL Azure Service Manager (ASM, aka Classic) resources." -Policy '.\Restrict-ALL-ASM-Resources.json'  -Mode All
$definition
$assignment = New-AzureRMPolicyAssignment -Name 'Restrict All ASM Resources' -PolicyDefinition $definition -Scope "/subscriptions/$subscriptionId"
$assignment

i.e. when I tried to create a classic VNet, I could not pass the validation:

Share on

Twitter Facebook LinkedIn

Tao Yang

Azure Resource Policy to Restrict ALL ASM Resources

Share on

Leave a comment

You may also enjoy

Azure Resource Graph Query for Subscription Owner Role Assignments

Azure Policy for Allowed Service Tags in Network Security Groups

Azure Policies for Restricting Service Tag in Network Security Groups

PowerShell Module AzPolicyTest V2.0 Released