Ensure "Not Allowed Resource Types" Policy Assignment in Use

01 Sign in to Azure Management Console.

02 Navigate to Azure Policy blade at https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade.

03 In the navigation panel, choose Assignments to access the list with all the initiative and policy assignments available within your cloud account.

04 On the Assignments page, perform the following:

1. Choose the Azure cloud subscription that you want to examine from the Scope field.
2. Select Policy from the Definition type dropdown list to display only the policy assignments created for the selected subscription.

05 Click on the name of the policy assignment that you want to examine.

06 On the Edit Policy Assignment page, select the Basics tab and check the policy definition name configured for the selected assignment, listed under Policy definition. If the policy definition name is different than Not allowed resource types, the selected policy assignment does not let you specify the resource types that your organization cannot deploy within the selected Azure subscription.

07 Repeat step no. 5 and 6 to check other policy assignments created within the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription available in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run policy assignment list command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to examine as identifier parameter and custom query filters to list the name and the policy definition ID of each Azure policy assignment, available in the selected subscription:

az policy assignment list
	--scope /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{"name": displayName,"policyDefinitionId": policyDefinitionId}'

04 The command output should return the requested policy information:

Name                                  PolicyDefinitionId
------------------------------------  ----------------------------------------
cc-audit-vm-without-dr-configuration  .../1234abcd-1234-abcd-1234-abcd1234abcd
cc-audit-vm-backups-configuration     .../abcdabcd-1234-abcd-1234-abcd1234abcd
cc-audit-cosmosdb-locations           .../abcd1234-abcd-1234-abcd-1234abcd1234

05 Run policy definition show command (Windows/macOS/Linux) using the ID of the policy definition that you want to examine as value for the --name identifier parameter and custom output filters to describe the name of the built-in policy definition associated with the selected policy assignment:

az policy definition show
	--name 1234abcd-1234-abcd-1234-abcd1234abcd
	--query 'displayName'

06 The command output should return the name of the requested policy definition:

"Audit virtual machines without disaster recovery configured"

07 Repeat step no. 5 and 6 to check other policy assignments available in the selected cloud subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to Azure Management Console.

02 Navigate to Azure Policy blade at https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade.

03 In the navigation panel, choose Assignments to access the list with all the initiative and policy assignments available within your cloud account.

04 On the Assignments page, click on the Assign policy button to initiate the "Not Allowed Resource Types" policy assignment setup.

05 On the Assign policy page, perform the following:

1. Select the Basics tab to configure the assignment basic settings.
2. For Scope, choose the Azure cloud subscription that you want to use as policy assignment scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.
3. (Optional) For Exclusions, choose the resource group or the cloud resources that can be excluded based on the selected scope. Exclusions start at one level lower than the level of the selected scope (in this case, the selected subscription). For example, at the subscription scope, you can assign a definition that prevents the creation of Azure Key Vaults. You can exclude a resource group from the selected subscription that is intended for administration only.
4. Click on the Policy definition ellipsis to open the list of available definitions. On the Available Definitions panel, select the built-in policy definition named Not allowed resource types. This built-in policy definition enables you to specify the cloud resource types that your organization cannot deploy for security and compliance purposes.
5. Provide a unique name for your new policy assignment in the Assignment name box.
6. Provide a short description for the new assignment in the Description text box.
7. Make sure that Policy enforcement is set to Enabled.
8. Once the assignment basics are configured, select the Parameters tab to specify the required parameters for the policy assignment.
9. Click inside Not allowed resource types dropdown list, and choose the type of the resource that your organization cannot deploy in the selected scope (subscription). As example, select vaults from the Microsoft.KeyVault category to ensure that Azure Key Vaults can't be created within the selected scope.
10. Click Review + create to review and validate the assignment.
11. Click Create to create the "Not Allowed Resource Types" policy assignment.

06 Repeat step no. 4 and 5 for other subscription available within your Microsoft Azure cloud account.

01 Run policy assignment create command (Windows/macOS/Linux) using the ID of the Not allowed resource types policy definition as value for the --policy parameter (i.e. 6c112d4e-5bc7-47ae-a041-ea2d9dccd749), to create a "Not Allowed Resource Types" policy assignment for the selected Azure cloud subscription (scope). In the following command example, the cloud resource type that your organization cannot deploy within the specified scope, defined as value of the -p parameter, is Azure Key Vault:

az policy assignment create
	--display-name cc-not-allowed-resource-types
	--policy 6c112d4e-5bc7-47ae-a041-ea2d9dccd749
	-p "{ \"listOfResourceTypesNotAllowed\": { \"value\": [ \"microsoft.keyvault/vaults\" ] } }"
	--scope /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd

02 The command output should return the new Azure policy assignment metadata:

{
  "description": null,
  "displayName": "cc-not-allowed-resource-types",
  "enforcementMode": "Default",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/abcdabcdabcdabcdabcdab",
  "identity": null,
  "location": null,
  "metadata": {
    "createdBy": "abcd1234-abcd-1234-abcd-1234abcd1234",
    "createdOn": "2020-06-19T19:30:35.0545765Z",
    "updatedBy": null,
    "updatedOn": null
  },
  "name": "abcdabcdabcdabcdabcdab",
  "notScopes": null,
  "parameters": {
    "listOfResourceTypesNotAllowed": {
      "value": [
        "microsoft.keyvault/vaults"
      ]
    }
  },
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "type": "Microsoft.Authorization/policyAssignments"
}

03 Repeat step no. 1 and 2 for other cloud subscription available in your Microsoft Azure account.