Differences between Azure Policy Exclusions, Exemptions and Overrides

Reading Time: 6 minutes

In this blog post I will describe the differences between Azure Policy exclusions, exemptions and overrides.

If you missed out on my previous post on Azure policy inheritance you can find the article at the following link Azure Policy Inheritance explained

Let’s get started and understand the differences and use cases for each.

Azure Policy Exclusions
Azure Policy allows organisations to enforce rules and compliance across resources in Azure. Compliance status is visible within the Azure Policy overview page which provides a single pane of glass view of resources which are compliant or non-compliant in their environments. However, there are requirements where organisations may not want Azure Policy to scan all resources. One of the features of Azure Policy is the ability to exclude certain resources from an Azure policy assignment. This is known as Azure Policy Exclusions. Let’s continue to a couple of examples below where we could use Azure Policy Exclusions.

Your organisation has a policy that audits all storage accounts to ensure the replication for disaster recovery purposes is set to geo-redundant replication.

However, there is one subscription that contains storage accounts used for development and testing purposes that do not need to be scanned by this policy. In this case, you can create a policy assignment that applies to all subscriptions, and exclude the subscription containing the development and testing storage accounts. This way, the policy will apply to all storage accounts except for those in the excluded subscription. Furthermore, those storage accounts from the excluded subscription will not appear on the Azure Policy overview page as non-compliant.

Another Example
Your organisation has a policy that requires all virtual machines to be deployed in a specific region for compliance reasons. However, there is one resource group that contains virtual machines used for disaster recovery purposes that need to be deployed in a different region. In this case, you can create a policy assignment that applies to all subscriptions and resource groups, and exclude the resource group containing the disaster recovery virtual machines. This way, the policy will apply to all virtual machines except for those in the excluded resource group.

Where is the exclude option?

When assigning an initiative/definition the option to exclude appears below the field named scope as shown in the image below.

Let’s move on to Azure Policy Exemptions in the next section below.

Azure Policy Exemptions
The Azure Policy exemptions feature is used to exempt a resource hierarchy or resources from being evaluated. Resources that are exempt are not evaluated because there may be a time bound waiver with an expiration date applied by an engineer. A benefit of exemptions is that they are audited, including the reason why an engineer created an exemption, the name of the engineer, and time the exemption was created. All exemptions can be tracked in the Azure Policy portal. Let’s continue to a use case of an exemption below.

Let’s say we are applying the built-in definition “Storage accounts should disable public network access” with an effect set to audit. We find that the compliance assessment shows that a storage account named “imransstorageaccount” is found to be non-compliant, but it must have public network access enabled for business purposes. How do we get around this non-compliant resource? We can create an exemption and type a reason why “imransstorageaccount” was exempted. Once the exemption is created, “imransstorageaccount” will be shown as exempt in compliance view in Azure Policy.

Note: It is important to regularly review your exemptions to ensure that all eligible items are appropriately exempted and to promptly remove any that no longer qualify for exemption.

Where is the exemption option?
1. Access Azure Policy and click Assignments under the section Authoring. As shown in the image below.

2. Click the ellipsis icon (the three dots) by the policy assignment you wish to exclude and click create exemption,

3. Once the exemption window launches you can select an exemption category of Waiver, for example if you are due to delete/decommission the resource. The second option is mitigated, where you may have resolved the non-compliance issue via a different method. Providing a reason why a resource is exempted allows for the reason to be audited.

You can also apply an exemption expiration date.

The policy exemption isn’t deleted when the expiry date is reached. The object is preserved for record keeping, but the exemption is no longer honored and Azure Policy will scan the resource again and mark it as compliant or non-compliant.

Exemption history can be viewed by clicking Exemptions located under the section Authoring. As shown in the image below.

So what is the difference between Azure Policy exclusions and exemptions?

1. Exemptions can be time bound, for example, exempt for 1 month and then start scanning and reporting on the compliant status again.
2. Exemptions are audited so it is possible to check why a policy was temporary or permanently exempt.
3. Exemptions are configured after the resource has been scanned and appears as non-compliant. We can then create an exemption for the non-compliant resource if required.
4. Azure Policy Exclusions are different. When we create an exclusion, Policy does not scan the excluded scope or mark it as compliant or non-compliant because it is ignored. Exclusions can not be configured to be temporary/time bound with an expiration date.

Azure Policy Overrides (In preview at the time of writing)
Overrides is a feature which offers a capability different to exclusions and exemptions. The overrides property allows you to change the effect of a policy definition without modifying the underlying policy definition and in turn reducing the management overhead. Let me give you examples of use cases below.

You have assigned an initiative which includes/groups together a number of single definitions. Let’s say that one or more of the definitions inside your initiative has an effect of audit, however you wish to change the policy effect to deny. Azure policy override allows you to override the effect from audit to deny so that you don’t have to recreate azure polices or change the effect parameter within the policy template/JSON code. I could simply override an existing effect of deny to audit by editing the existing assigned policy and adding an override of change effect from audit to deny. I can add and remove overrides when needed.

Another example
I have a policy initiative named Security that includes several policy definitions, such as RestrictVMSize and RequireSQLDatabaseAuditing. The default effect of these policy definitions is audit. However, I now want to change the effect of these policy definitions to deny without modifying the underlying policy definitions or amending the parameter effect in the policy definitions template.

To achieve this, I can use Azure Policy overrides to change the effect of the policy definitions to deny. I can create an override for each policy definition and set the effect to deny. If needed, I can remove the override at a later date which will revert the effect back to the original effect of audit without me having to change the JSON file.

Where is the override option?
An override can be applied to a policy at the time of policy assignment or by editing an existing assignment.

1. Click Assignments under the section Authoring.

2. By the assignment name, click the ellipsis icon (…) and click edit assignment.

3. Click the advanced tab

4. Click Add override

5. Click override value and change the effect.

6. In my case, I have a policy which does not allow resources to be deployed to any region apart from UK South. My policy effect is currently set to deny. For demo purposes, I am going to add an override with an effect of audit. Click Add to apply the override and then click review and save.

Now the policy will not deny when resources are built outside of the UK South region but audit only and mark them as non-compliant. I can remove or edit the override when needed. Note an override was added to this policy for demo purposes only. Plan your overrides accordingly.

That’s it. I hope you found the post useful

See you at the next one