Skip to content

Use descriptive policy exemptions#

Operational Excellence · Policy · Rule · 2021_06 · Awareness

Policy exemptions should use a display name and description.

Description#

Policy assignments can be configured with a display name and description. Use these additional properties to clearly convey the reason for the policy exemption. Additionally, consider providing a link or reference to track exemption conditions and approval.

Recommendation#

Consider setting a display name and description for each policy exemption.

Examples#

Azure templates#

To deploy policy exemptions that pass this rule:

  • Set the properties.displayName property with a valid value.
  • Set the properties.description property with a valid value.

For example:

Azure Template snippet
{
    "comments": "An example exemption.",
    "name": "exemption-001",
    "type": "Microsoft.Authorization/policyExemptions",
    "apiVersion": "2020-07-01-preview",
    "properties": {
        "policyAssignmentId": "<assignment_id>",
        "policyDefinitionReferenceIds": [],
        "exemptionCategory": "Waiver",
        "expiresOn": "2021-04-27T14:00:00Z",
        "displayName": "Exemption 001",
        "description": "An example exemption.",
        "metadata": {
            "requestedBy": "Apps team",
            "approvedBy": "Security team",
            "createdBy": "DevOps pipeline"
        }
    }
}

Comments