Problem:
An organization wants to deny an Azure Resource Provider for contractual, compliance, or security reasons.
Solution:
Create a new Azure Policy definition by duplicating the “Not allowed resource types” built-in definition. Fill out the Basics form. For the “Definition Location”, ideally you would select a Management Group. This will allow you to assign the definition at the management group scope and ensure Subscription owners adhere to the policy. The name should resemble the purpose of the policy. For example, “Deny Compute Resource Provider” to deny any operations against the “Microsoft.Compute” resource provider. In the “Description”, explain the reason for blocking the resource provider. For the “Category”, either create a new one or select an existing.
The default “Policy Rule” has most of the code we’ll need. On line 8, replace “in” with “like”. Also, change the value to a resource provider with an asterisk. For example, “Microsoft.Compute” would look: “Microsoft.Compute/*”. The “listOfResourceTypesNotAllowed” parameter is not needed and can be removed so delete lines 21 through 28. That’s it, you’re done. The policy rule should look like this:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"like": "Microsoft.Compute/*"
},
{
"value": "[field('type')]",
"exists": true
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
}
}Now you can save the definition and assign it to the appropriate scope.
Explanation:
Azure Resource Providers add functionality to your subscription. If the resource provider is not enabled on your subscription, you will not be able to use associated services or features. While disabling unnecessary resource providers is recommended, blocking them with Azure Policy provides defense in depth.
Jason Masten 