Remember in the old days when using group policy on-premises, you had the flexibility to apply a group policy object to an organizational unit and add additional filtering using WMI or security filtering to further scope down the resources that this group policy object will apply to. Fast forwarding to Azure, Azure policy never really had this type of flexibility, it sure had exemptions and you can have assignemnts scoped down to a resource group but its not as flexible as security filtering in group policy.

This has now changed with Azure Policy resource selectors which is a new capability in Azure Policy that allows you to gradually rollout a policy by filtering the resources that the assignment is applied to. By the time this post was written, you can scope resource according to location, resource type and resources at the subscription level which do not have a location. This is particularly helpful as you now can gradually rollout an Azure policy by just editing the assignment, you no longer have to edit the definition to do that.

Video demonstration

Demo

Let’s explore how you can leverage this new feature to gradually rollout an Azure Policy assignment based on a resource region.

Setup

We have two AKS clusters in the same resource group residing in the West Europe and East US regions and we have a requirement to deploy the Azure Policy add-on on the two clusters so we can properly govern the workloads running inside them. We will use the Azure Policy resource selector feature to first rollout this policy in the West Europe region then after validation, we will extend to clusters in the East Us region just by editing the policy assignment.

We can see initially that both of our clusters do not have this add-on enabled.

Now we will assign a new Azure Policy to enabled the add-on to the resource group containing both clusters. We can see that the resource selectors option is now visible in the portal.

We will choose the resourceLocation selector to scope this assignment first to the resources in the West Europe region.

After about 15 minutes, looking at the AKS clusters’ policy tab, we can see that the policy has been applied only to the West Europe cluster although the policy has been applied to the resource group having both clusters.

Now after performing all our tests on the AKS cluster in the West Europe region and validating all our requirements, we are ready to complete the rollout of the Azure Policy deploying the add-on to the East Us region. All we have to do is to edit the existing policy assignment and add the second region to our policy resource selector.

Summary

Azure Policy resource selectors by the time of this post is in preview, its a great capability to allow you to scope Azure Policy assignments and gradually rollout a policy based on conditions (currently limited to location, no locations and resource types) without having to change the policy definition.