Managing Azure VM Hybrid Use Benefit Configuration Using Azure Policy

The Azure Policy is a great tool to manage your standards and policies within your Azure subscriptions. In addition to the built-in policies from the Azure Portal, the product team also provides a public GitHub repository to share custom policy definitions to the community.

At the time of writing this post, there are already 2 policy definitions in this GitHub repo for managing the Hybrid Use Benefit (BYO license) for Windows VMs:

• Enforce Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/enforce-hybrid-use-benefit
• Deny Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/deny-hybrid-use-benefit

These 2 policy definitions are maturely exclusive.

If you apply the Enforce policy, you will not be able to create a VM if you have not enabled Hybrid Use Benefit as shown below:

At the summary page of the wizard, you will receive an error:

On the other hand, if you have apply the Deny Hybrid Use Benefit policy, you will also get an validation error if you have enabled Hybrid Use Benefit:

These two policy definitions are great, but to me, none of them meets my requirements. I don’t want to educate my users on what settings should they use, and throwing an error at the summary page of the wizard is not very user friendly. I want my users to not worry about this setting, and automatically enable Hybrid Use Benefit for Windows server VMs. Therefore I created new custom definition based on the above mentioned 2 existing definitions to append Hybrid Use Benefit for a Windows Server VM (automatically enable it):

{
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "append-hybrid-use-benefit",
  "properties": {
    "displayName": "Append hybrid use benefit",
    "description": "This policy will automatically configure hybrid use benefit for Windows Servers.",
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "in": [
              "Microsoft.Compute/virtualMachines",
              "Microsoft.Compute/VirtualMachineScaleSets"
            ]
          },
          {
            "field": "Microsoft.Compute/imagePublisher",
            "equals": "MicrosoftWindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageOffer",
            "equals": "WindowsServer"
          },
          {
            "field": "Microsoft.Compute/imageSKU",
            "in": [
              "2008-R2-SP1",
              "2008-R2-SP1-smalldisk",
              "2012-Datacenter",
              "2012-Datacenter-smalldisk",
              "2012-R2-Datacenter",
              "2012-R2-Datacenter-smalldisk",
              "2016-Datacenter",
              "2016-Datacenter-Server-Core",
              "2016-Datacenter-Server-Core-smalldisk",
              "2016-Datacenter-smalldisk",
              "2016-Datacenter-with-Containers",
              "2016-Datacenter-with-RDSH"
            ]
          },
          {
            "field": "Microsoft.Compute/licenseType",
            "notEquals": "Windows_Server"
          }
        ]
      },
      "then": {
        "effect": "append",
        "details": [
          {
            "field": "Microsoft.Compute/licenseType",
            "value": "Windows_Server"
          }
        ]
      }
    }
  }
}

This policy will automatically enable Hybrid Use Benefit for Windows Server VMs if it is not enabled during the creation of the VM.

Unfortunately, I don’t believe (and please correct me if I am wrong) there is a way to automatically remove the Hybrid Use Benefit setting from a VM if it is enabled using Azure Policy. According to the Azure Policy definition documentation (https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition), the possible effects are: Deny, Audit, Append, AuditIfNotExists and DeployIfNotExists. There is no possible effects to remove a value if it exists