Use descriptive policy exemptions

Operational Excellence · Policy · Rule · 2021_06 · Awareness

Policy exemptions should use a display name and description.

Description

Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the reason for the policy exemption. Additionally, consider providing a link or reference to track exemption conditions and approval.

Recommendation

Consider setting a display name and description for each policy exemption.

Examples

Azure templates

To deploy policy exemptions that pass this rule:

• Set the properties.displayName property with a valid value.
• Set the properties.description property with a valid value.

For example:

Azure Template snippet

{
    "comments": "An example exemption.",
    "name": "exemption-001",
    "type": "Microsoft.Authorization/policyExemptions",
    "apiVersion": "2020-07-01-preview",
    "properties": {
        "policyAssignmentId": "<assignment_id>",
        "policyDefinitionReferenceIds": [],
        "exemptionCategory": "Waiver",
        "expiresOn": "2021-04-27T14:00:00Z",
        "displayName": "Exemption 001",
        "description": "An example exemption.",
        "metadata": {
            "requestedBy": "Apps team",
            "approvedBy": "Security team",
            "createdBy": "DevOps pipeline"
        }
    }
}

Links

• OE:04 Tools and processes
• Azure Policy exemption structure
• Azure deployment reference

Comments