Assign a Single Policy to a specific subscription

[ericrousse]

Hello all,

Yeah first of all I've went through a couple of articles/blog post about this and so far my conclusion for me and one of my collegue is this should not be done in Azure Policy, since its specific to only one sub. And I've went through EPAC doc, and from what I think it could be done, by maybe adding a new Pac Selector scoped to a sub. But I remember seeing another doc saying that I should have only a couple of Pac Selector. So I'm not sure how I could do this.

Basically my need is in this sub, I will have an global assignement for all my subs, that will assign a DCR(let's call them Infra DCR) + AMA, going to a Infra Security Log Analytics.

And the client in this sub, also wants his logs, in his own Log Analytics. And of course our security team will not allow the client to go into the major Log Analytics, so a DCR Clients that will connect the AMA agent to the Infra Sec Log Analytics and his own Log Analytics, so we were trying to assign a single policy that would add all Windows VM into a DCR. Another of my collegue thinks this should be done by our team in Azure Policy, and one of my collegue thinks it should be automated in the sub of the clients using maybe a Function App or Logic App. Oh and of course, the people in this sub, are still learning the cloud, so we don't want to build anything for them, so that's why the Azure Policy would have been a great and simple solution.

Thanks the right approach to this kind of issue ? Because to me it seems I could encounter same dilema in the future.

[arrerezai]

Hi @ericrousse,

I believe what you need to do is to create another layer in your management group structure and within that management group, you'll place your single/specific subscription. That way, you'll be able to assign the scope in your policy assignment, for instance to:

"scope": {
        "epac-dev": [
            "/providers/Microsoft.Management/managementGroups/landingzones-corp-thespecialone-dev"
        ]
 }

The entire reason of having management groups is to restrict policies at management group level, not at subscription level.

See my post from about a month ago where I literally provided the answer to my own question myself: #639