The Azure Policy is a great tool to manage your standards and policies within your Azure subscriptions. In addition to the built-in policies from the Azure Portal, the product team also provides a public GitHub repository to share custom policy definitions to the community.
At the time of writing this post, there are already 2 policy definitions in this GitHub repo for managing the Hybrid Use Benefit (BYO license) for Windows VMs:
- Enforce Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/enforce-hybrid-use-benefit
- Deny Hybrid Use Benefit: https://github.com/Azure/azure-policy/tree/master/samples/Compute/deny-hybrid-use-benefit
These 2 policy definitions are maturely exclusive.
If you apply the Enforce policy, you will not be able to create a VM if you have not enabled Hybrid Use Benefit as shown below:
At the summary page of the wizard, you will receive an error:
On the other hand, if you have apply the Deny Hybrid Use Benefit policy, you will also get an validation error if you have enabled Hybrid Use Benefit:
These two policy definitions are great, but to me, none of them meets my requirements. I don’t want to educate my users on what settings should they use, and throwing an error at the summary page of the wizard is not very user friendly. I want my users to not worry about this setting, and automatically enable Hybrid Use Benefit for Windows server VMs. Therefore I created new custom definition based on the above mentioned 2 existing definitions to append Hybrid Use Benefit for a Windows Server VM (automatically enable it):
This policy will automatically enable Hybrid Use Benefit for Windows Server VMs if it is not enabled during the creation of the VM.
Unfortunately, I don’t believe (and please correct me if I am wrong) there is a way to automatically remove the Hybrid Use Benefit setting from a VM if it is enabled using Azure Policy. According to the Azure Policy definition documentation (https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition), the possible effects are: Deny, Audit, Append, AuditIfNotExists and DeployIfNotExists. There is no possible effects to remove a value if it exists