It might sound simple, but we often get asked about the difference between and Azure Policy and an Azure Initiative. Although they both have the same three components (definition, assignment and parameters), it’s not always clear which one to use when considering how to manage your resources.
These tools help the business in setting priorities on a strategic level to help manage and prevent issues, however, let’s begin by confirming what we know about each:
DEFINITION: WHAT IS A POLICY?
Azure Policy is a service from Microsoft that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this ongoing need by evaluating your resources for non-compliance with assigned policies.
A good example using a built-in policy is the Allowed Storage Account SKUs policy, which determines if the SKU (the definition), of deployed storage accounts (the assignment), is within an allowed range (the definition). The effect of this policy is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
Remember that Azure Policy's compliance evaluation is now provided for all assignments regardless of pricing tier. If your assignments do not show the compliance data, please ensure that the subscription is registered with the Microsoft.PolicyInsights resource provider.
DEFINITION: WHAT IS AN INITIATIVE?
An Azure initiative, on the other hand, is a collection of policy definitions that are tailored towards achieving a singular overarching goal. The aim here is to simplify managing and assigning multiple policy definitions by grouping them as one single item.
For example, you could this initiative, (called Enable Monitoring in Azure Security Center), to co-ordinate a group of policies to monitor all the available security recommendations in your Azure Security Center.
POLICY, INITIATIVE OR BOTH?
Which one you use can depend on what you want to achieve. In my opinion, a good place to start is to define your goals and assess how these will change over time. If the scope will change and you envisage adding new requirements, you could future-proof and make it easier to manage in the future from the start by using Azure initiatives.
If you have a need to ONLY have a single policy enforced and evaluated and don’t see it expanding, it’s best to use a single policy. If it’s more complicated, then an initiative is the way forward. Take PCI as an example, where requirements may change as internal governance or legislation is updated- Instead of managing a growing number of separate policies for PCI-DSS compliance, you would set up and manage a single initiative, to ensure that all those individuals polices are being evaluated and at the same time.
In practice, you may find that you need a combination of single policies and initiatives to meet a range of governance requirements. Hopefully, you now understand the difference and how to use them to best effect!
Let me know how you get on or if you have any questions?