Use assigned by for policy assignments

Operational Excellence · Policy · Rule · 2021_06 · Awareness

Policy assignments should use assignedBy metadata.

Description

When using the Azure Portal, policy assignment automatically set the assignedBy metadata. This metadata field is intended to indicate the person or team assigning the policy to a resource scope.

When automating policy management, it may be helpful to identify assignments managed by code.

Recommendation

Consider setting assignedBy metadata for each policy assignment.

Examples

Azure templates

To deploy policy assignments that pass this rule:

• Set the properties.metadata.assignedBy property with a valid value.

For example:

Azure Template snippet

{
    "comments": "Initiative assignment",
    "name": "assignment-001",
    "type": "Microsoft.Authorization/policyAssignments",
    "apiVersion": "2019-06-01",
    "properties": {
        "displayName": "Assignment 001",
        "description": "An example policy assignment.",
        "metadata": {
            "assignedBy": "DevOps pipeline"
        },
        "enforcementMode": "Default"
    }
}

Links

• Azure Policy assignment structure
• Azure deployment reference
• Repeatable infrastructure

Comments