Azure Resource Policy to Restrict ALL ASM Resources

less than 1 minute read

I needed to find a way to restrict ALL Azure Service Manager (ASM, aka Classic) resources on the subscription level. Azure Resource Policy seems to be a logical choice. So I quickly developed a very simple Policy Definition:

{
  "if": {
    "field": "type",
    "like": "Microsoft.Classic*"
  },
  "then": {
    "effect": "Deny"
  }
}

Once I have deployed the definition and assigned it to the subscription level (using PowerShell commands listed below), I could no longer deploy ASM resources:

#Set the Subscription ID
$subscriptionId = '7c6bd10f-ab0d-4a8b-9c32-548589e1142b'

Add-AzureRmAccount
Select-AzureRmSubscription -Subscription $subscriptionId

$definition = New-AzureRmPolicyDefinition -Name "restrict-all-asm-resources" -DisplayName "Restrict All ASM Resources" -description "This policy enables you to restrict ALL Azure Service Manager (ASM, aka Classic) resources." -Policy '.\Restrict-ALL-ASM-Resources.json'  -Mode All
$definition
$assignment = New-AzureRMPolicyAssignment -Name 'Restrict All ASM Resources' -PolicyDefinition $definition -Scope "/subscriptions/$subscriptionId"
$assignment

i.e. when I tried to create a classic VNet, I could not pass the validation:

Share on

Twitter Facebook LinkedIn

Tao Yang

Azure Resource Policy to Restrict ALL ASM Resources

Share on

Leave a comment

You may also enjoy

PowerShell Module AzPolicyTest V2.0 Released

Enhanced Azure Bicep Modules for Azure Policy Resources

Azure Bicep Module for Network Security Groups

Managing Azure Private Endpoints using Azure Policy