TL;DR: Quick Summary
Azure Policy enables organizations to enforce and continuously audit compliance across their Azure environments. This article focuses on how Azure Policy helps validate and enforce best practices for Network Security Groups (NSGs) and Azure Firewall configurations. You’ll get definitions, use cases, benefits, sample policies, PowerShell commands, and Bicep templates for secure, scalable governance.
What is Azure Policy?
Azure Policy is a governance service that allows you to define and assign rules (policies) that enforce desired configurations and compliance standards across Azure resources.
Key Terms
| Term | Definition |
|---|---|
| Policy Definition | A JSON rule template that specifies the condition (e.g., “if a resource has a certain property”) and effect (e.g., Audit, Deny, DeployIfNotExists). It can be built-in or custom. |
| Policy Assignment | The application of a policy to a defined scope such as a management group, subscription, or resource group. Assignments can include parameters to make policies dynamic. |
| Initiative (Policy Set) | A collection of multiple policy definitions grouped together. Useful for enforcing compliance with a larger goal, such as NIST 800-53 or zero-trust networking. |
| Compliance State | Indicates which resources are compliant or non-compliant with the assigned policies. These states are visualized in Azure Policy dashboards and can be exported to Microsoft Defender or Sentinel for auditing. |
Benefits of Azure Policy for NSGs & Firewalls
| Benefit | Description |
| Continuous Compliance | Automatically audits network configurations against policy rules. Ensures enforcement is ongoing and not limited to deployment time. Useful for environments with frequent change. |
| Built-in Policy Library | Offers hundreds of out-of-the-box policies from Microsoft targeting NSGs, Azure Firewall, diagnostics, and networking controls. Saves time versus writing custom policies. |
| Auto-Remediation | The DeployIfNotExists effect allows Azure to automatically deploy missing diagnostic settings or NSG configurations when they don’t meet the desired state. |
| Audit and Report | Policy results are collected into dashboards for reporting. Can be integrated with Microsoft Defender for Cloud or SIEM tools for compliance reporting and alerts. |
| No Code Enforcement | Azure Policy does not require code changes in ARM/Bicep templates. Security and compliance can be enforced declaratively and externally by governance teams. |
Use Cases
1. Preventing Insecure NSG Rules
Administrators can enforce a policy that blocks RDP (port 3389) or SSH (port 22) from being open to the public internet. This prevents accidental exposure of sensitive management services.
2. Enforcing Firewall Diagnostic Logging
Azure Policy can be used to ensure all Azure Firewalls have diagnostic settings enabled. This ensures that all network traffic and threat intel events are logged to Log Analytics, Event Hub, or a storage account for security analysis.
3. Requiring Flow Logs on NSGs
Azure Policy can enforce the presence of flow logs on every NSG. These logs are essential for tracking traffic flows, identifying anomalous behavior, and generating insights in Traffic Analytics.
4. Denying Inbound from Any to All Ports
Policies can prevent users from creating rules that allow all inbound traffic (* source and destination). This enforces zero-trust segmentation and prevents accidental exposure.
5. Enforcing Default Deny Rule on NSGs
Ensure every NSG includes a high-priority rule that denies all traffic by default. This prevents unfiltered communication and forces teams to explicitly allow only known-good traffic.
Built-in Azure Policy Definitions
| Policy Name | Category | Effect | Link |
| NSG should not allow RDP from Internet | Network | Audit/Deny | Policy Link |
| Configure diagnostic settings for Azure Firewall | Monitoring | DeployIfNotExists | Policy Link |
| Configure NSG flow logs to be enabled | Network | Audit + DeployIfNotExists | Policy Link |
| NSG should not allow unrestricted access | Security | Audit | Policy Link |
Compliance Mapping Table
| Compliance Framework | Example Policy | Enforcement Type | Azure Mapping |
| NIST 800-53 | NSG must not allow RDP from internet | Audit/Deny | AC-4, AC-17 |
| PCI-DSS | NSGs must have flow logs enabled | DeployIfNotExists | 10.2.5 |
| HIPAA | Diagnostic logging on Firewalls | Audit | 164.312(b) |
| ISO 27001 | Require diagnostic settings on NSGs | DeployIfNotExists | A.12.4.1 |
| CIS Benchmarks | Deny inbound ANY-ANY rules | Deny | 9.2.1 |
Best Practices for Policy Design
1. Use Initiatives for Bundled Enforcement
Group multiple related policies—such as blocking public access, requiring diagnostic logging, and enabling flow logs—into a single initiative. This makes assignment and tracking easier and enforces consistent standards across projects.
2. Assign at the Management Group or Subscription Level
Management groups let you apply policies to all underlying subscriptions. This is ideal for large enterprises that need top-down compliance across departments or cloud business units.
3. Use Parameters in Custom Policies
Parameterization makes policies reusable and less brittle. For example, you can define a policy that denies public IPs but allow specific exceptions via a parameter list.
4. Combine with Azure Defender
Azure Defender for Cloud enhances policy effect visibility by surfacing compliance issues in its security score. It can also recommend new policies based on detected risks.
5. Monitor Compliance State Regularly
Track compliance trends over time using the Azure Policy dashboard or by exporting data to Log Analytics. Use alerts for non-compliance detection and integrate with ITSM tools.
6. Version Control Your Policies
Store custom policy definitions and assignments in a Git repo. Use CI/CD pipelines with Bicep or Terraform to enforce version-controlled infrastructure governance.
7. Document Policy Exceptions
Create a central registry of policy exception justifications. Use Azure Blueprints or tags to annotate resources that are intentionally non-compliant.
8. Use Policy Effects Strategically
Start new policies in Audit mode to gauge impact. Once confirmed, switch to Deny or DeployIfNotExists for enforcement.
9. Scope Policies Narrowly During Testing
Test new or custom policies on isolated resource groups before assigning broadly. This prevents accidental disruption in production.
10. Combine Policies with Role-Based Access Control (RBAC)
Ensure that those applying policies have proper RBAC roles (e.g., Policy Contributor). Avoid giving wide permissions to users who do not understand policy impacts.Use Azure Policy dashboards and configure alerts for non-compliance drift.
Bicep Template: Assigning Built-in Policy
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: 'nsg-no-rdp-from-internet'
scope: subscription().id
properties: {
displayName: 'Deny RDP from Internet'
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/d63f20c3-52c1-4092-8600-2f8f75b4d5c0'
enforcementMode: 'Default'
}
}PowerShell Example: Assign a Policy
$definition = Get-AzPolicyDefinition -Name "d63f20c3-52c1-4092-8600-2f8f75b4d5c0"
New-AzPolicyAssignment -Name "nsg-no-rdp" -DisplayName "Deny RDP from Internet" -Scope "/subscriptions/<sub-id>" -PolicyDefinition $definitionReal-World Case Studies
Case Study 1: Global Financial Institution
A multinational bank used Azure Policy to enforce diagnostic settings and NSG flow logs across hundreds of resource groups. By bundling policies into an initiative and assigning it at the management group level, they achieved 97% compliance within 30 days. (Source: Microsoft Azure Compliance)
Case Study 2: Healthcare Provider Aligns with HIPAA
A U.S.-based healthcare provider implemented built-in Azure Policies to meet HIPAA compliance, particularly focusing on diagnostic logging and limiting NSG access. Integration with Microsoft Defender allowed for real-time compliance drift detection. (Source: Azure Customer Stories – Providence)
Case Study 3: Government Agency Meets NIST 800-53
A federal agency applied NIST 800-53 mapped Azure Policies using policy initiatives. Combined with RBAC and Azure Blueprints, they implemented repeatable compliance-as-code workflows and automated reporting. (Source: US Department of Defense Case Study).
Final Thoughts
Azure Policy is more than a governance framework—it’s the backbone of proactive compliance in modern, cloud-scale architectures. With its built-in definitions, granular enforcement options, and seamless integration with tools like Azure Defender and Log Analytics, it empowers both IT administrators and security teams to implement guardrails without disrupting innovation.
Whether you’re enforcing NSG and Firewall rules, embedding controls into CI/CD pipelines, or aligning with NIST, PCI, or HIPAA standards, Azure Policy ensures your environment remains auditable, secure, and scalable.
Leverage its flexibility—from Audit-only evaluations to full auto-remediation—to meet your organization’s specific risk posture. And remember: the most effective policies are not just enforced—they’re tested, versioned, and continuously improved.
*The thoughts and opinions in this article are mine and hold no reflect on my employer*