Do not use tags for filtering security related Azure Policies

I spend a lot of time on Microsoft Q&A trying to help people by not just providing with answers but also educating them and pushing them to learn more. Recently I was asked to help with Azure Policy rule and I did.

Looking at the rule though got me thinking about using tags for filtering which policy to which resources to apply. Overall I am two hands up for that approach. I think it is good approach for doing management at scale and not having to deal with micro-management. At the same time such approach should be used with cautiousness. For me the stop line for this approach is security related policies where you may be try to enforce TLS 1.2 or disable public network access. The reason is that you are basically allowing people to avoid certain policy by just changing a tag or its value. There is a reason why Azure Policies are mainly subscription/management group scoped resource that you need additional permissions to control. So I highly recommend to not use tags filtering in your policy rules when the policy relates to security setting. Instead I would recommend to use Azure Policy exemptions or Azure Policy exclusions. Never the less if you decide to go that route I would also strongly recommend to do two things:

  • Create another policy with similar rule but to not include the tags filtering and be just in audit effect. That way you will have overview of which resources are not compliant due to having tag that filters them out by the other policy.
  • Regularly review the resources that are not compliant due tag exclusion. You can do that on daily or at least weekly bases. You can even use Log Analytics to alert on the Azure Policy states. You can check the blog post by my friend Tao Yang.

2 thoughts on “Do not use tags for filtering security related Azure Policies

  1. If you could create exemption/exclusion without resources already existing then it would not be an issue.

    1. The exemptions indeed requires that the resource be already present but you can create an exemption on pre-created resource group and once the resource is deployed to remove it and create exemption on the resource.
      exceptions (not scopes) allows you to define the resource that will be excluded without having to exists in advance if you deploy your policies via IaC. After creation you can do the same thing by creating exemption for the resource and remove it it from excluded.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.