Exclude Management Groups and/or Subscriptions from Policy Assignment
After release 2025-03-03, we have made available a new set of parameters that allows you to exclude Management Groups and/or Subscriptions from policy assignments. This feature helps customers that would like to control the application of policies at scale during the deployment of the AMBA-ALZ pattern. For customers who already deployed the AMBA-ALZ pattern, it is possible to use this feature by either updating the existing deployment or manually configuring the exclusion in the existing policy assignments. A guide to perform the manual exclusion is available at Can I exclude Management Groups or Subscriptions from policy assignment? in the FAQ page. For new deployments, using the new parameters will help performing the resource(s) exclusion at scale for policy assignments. The resource format must adhere to the standard Azure resource ID format reported as following for both Management Groups and Subscriptions:
- Management Groups == "/providers/Microsoft.Management/managementGroups/«management group id»"
- Subscriptions == "/subscriptions/«subscription id»"
The parameters can be configured with more than one value, since it is expecting an array of item, and with a mix of them. Below, you can find some use case with values to be passed for the exclusion:
“value”: ["/providers/Microsoft.Management/managementGroups/mgmtGrp-1", “/providers/Microsoft.Management/managementGroups/mgmtGrp-2”]
“value”: ["/subscriptions/00000000-0000-0000-0000-000000000000", “/subscriptions/11111111-1111-1111-1111-111111111111”]
“value”: ["/providers/Microsoft.Management/managementGroups/mgmtGrp-1", “/subscriptions/11111111-1111-1111-1111-111111111111”]
“value”: ["/providers/Microsoft.Management/managementGroups/mgmtGrp-1", “/providers/Microsoft.Management/managementGroups/mgmtGrp-2”, “/subscriptions/00000000-0000-0000-0000-000000000000”, “/subscriptions/11111111-1111-1111-1111-111111111111”]
During the deployment the policy, assignment will be configured with the requested exclusion.
This feature is only available when deploying through the following methods: GitHub Actions, Azure Pipelines, Azure CLI or Azure PowerShell since the AMBA-ALZ portal experience does not require configuration of parameter file.
To use this feature, customers must populate the relevant parameter file section with the ID of resources to be excluded. The section called policyAssignmentExclusionList contains an entry for each of the policy assignments configured during the deployment with no default value.
Resources to be excluded can be inserted more than once on different scopes if applicable. Make sure you enter the correct resource scope under the relevant section. As already documented in the preceding section, enter the resource IDs in the correct form. You can use any of the following combinations when configuring the exclusion:
- One or more Management groups
- One or more subscriptions
- a mix of one or more management groups and one or more subscriptions
Once the parameter has been properly configured, go ahead with the deployment of the AMBA-ALZ pattern using one the following methods:
- To deploy with GitHub Actions, continue with Deploy with GitHub Actions
- To deploy with Azure Pipelines, continue with Deploy with Azure Pipelines
- To deploy with Azure CLI, continue with Deploy with Azure CLI
- To deploy with Azure PowerShell, continue with Deploy with PowerShell
You will get policy assignments configured with the excluded resources (if any):
