assignment via policy sets

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Using policy sets to group objects

This week is all about Policy sets in Microsoft Intune. Policy sets are introduced a few months ago and enable administrators to group management objects that need to be identified and assigned as a single object. That can help with simplifying the administration of the environment. A Policy sets can be a group of almost all different object that are available within Microsoft Intune. That includes objects for different platforms within the same Policy sets . This enables an administrator to use Policy sets for a lot of different use case, from creating a standard for a specific user type to creating a standard set of apps for all users. In this post I’ll walk through the configuration steps and through the different steps I’ll describe the available options and challenges. I’ll end this post with some notes about the assignment of a Policy set .

Creating policy sets

Now let’s have a closer looking at Policy sets by walking through the configuration. The following 9 steps walk through the creation of a Policy set and the different options.

• Open the  Microsoft Endpoint Manager admin center  portal and navigate to  Devices  >  Policy sets  to open the  Policy sets  blade
• On the  Policy sets  blade, select Policy sets and click  Create  to open the  Create a policy set  wizard
• On the Basics page, provide the following information (see Figure 1) and click Next: Application management
• Policy set name : Provide a valid name for the Policy set
• Description : (Optional) Provide a description of the Policy set

• On the Application management page, provide the following information (see Figure 2) and click Next: Device management
• Apps : Click Select apps to add apps to the Policy set . That can be an iOS/iPadOS store app , an iOS/iPadOS line-of-business app , a Managed iOS/iPadOS line-of-business app , an Android store app , an Android line-of-business app , a Managed Android line-of-business app , an Office 365 ProPlus Suite (Windows 10) , a Web link , a Built-in iOS/iPadOS app , or a Built-in Android app . That also means that a Windows app (Win32) is currently not supported. After adding an app to the Policy set , the assignment type can also be configured.
• App configuration policies : Click Select app configuration policies to add app configuration policies to the Policy set .
• App protection policies : Click Select app protection policies to add app protection policies to the Policy set . That can be an APP targeted at managed Windows devices , an APP targeted at managed iOS/iPadOSOS devices , an APP targeted at managed Android devices , an APP targeted at unmanaged iOS/iPadOSOS devices , or an APP targeted at unmanaged Android devices . That also means that APP targeted at unmanaged Windows devices are not supported.

• On the Device management page, provide the following information (see Figure 3) and click Next: Device enrollment
• Device configuration policies : Click Select device configuration policies to add device configuration policies to the Policy set .
• Device compliance policies : Click Select device compliance policies to add device compliance policies to the Policy set . Only the Android Enterprise device owner type policies are not available.

• On the Device enrollment page, provide the following information (see Figure 4) and click Next: Scope tags
• Device type restrictions : Click Select device type restrictions to add custom device type restrictions to the Policy set .
• Windows autopilot deployment profiles : Click Select Windows autopilot deployment profiles to add Windows autopilot deployment profiles to the Policy set .
• Enrollment status pages : Click Select enrollment status page profiles to add custom enrollment status page profiles to the Policy set .

• On the Scope tags page, provide the following information (see Figure 5) and click Next: Assignments
• Scope tags : Click Select scope tags to add custom scope tags to the Policy set .

• On the Assignments page, provide the following information (see Figure 6) and click Next: Review + create
• Included groups : Click Select groups to include to include groups to the assignment of the Policy set .
• Excluded groups : Click Select groups to exclude to exclude groups from the assignment of the Policy set

• On the Review + create page, verify the following information and click Create

After going through the configuration of a Policy set it’s good to note that security baselines are not part of a Policy set configuration. The guided scenario Try out a cloud-managed PC also creates a policy set to group the different objects that are created during the guided scenario and that are supported as being a part of the guided scenario. That scenario also creates a security baseline assignment that is not part of the created Policy set . Guided scenarios are available on the Home page of the Microsoft Endpoint Manager admin center.

For automation purposes, it might be better to know how to automate the device type restriction configuration. That can be achieved by using the  policySet  object in the Graph API.

Assignment notes

Let’s end this post with some notes about the assignment of a Policy set . The following should be kept in mind when creating the assignment for the Policy set .

• The different non-Windows app protection policies (APP) do not support an assignment via a Policy set . In that case the group will be added as a direct assignment. Those assignments will not be deleted when the assignment of the Policy set is removed.
• The different APPs do not support an assignment to All users or All devices
• A Windows autopilot deployment profile does not support an assignment to All users
• An Enrollment status page profile does not support the assignment of virtual groups ( All users , All devices or All user & All devices )
• An Device type restriction profile does not support the assignment of virtual groups ( All users , All devices or All user & All devices )

When the assignment of the Policy set is created it will show as a specific assignment with the different objects that are part of the Policy set (as shown in Figure 8).

More information

For more information about using policy sets for managing groups of objects in Microsoft Intune, refer to the documentation about  Use policy sets to group collections of management objects .

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Reddit (Opens in new window)

6 thoughts on “Using policy sets to group objects”

This is definitely interesting, but needs support for both Win32 applications and powershell scripts to be really useful. Hopefully it’s in the pipeline.

Agree, Pär!

Can you control the order in which policy sets are applied.

Hi Clive, Not to my knowledge. Regards, Peter

Have you come across the issue of Android config policies not showing up when you try to add them to the policy set? When you select to bring up the config policy search box, it only lists windows policies but won’t show any android config policies to select.

Hi Damian, I have to admit that I haven’t looked at policy sets recently, but I just did and I do see the same. You might want to report that with Microsoft. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

What are Intune Policy Sets?

Starting with the Intune release from October 14th 2019, Microsoft made available a new functionality called “Policy Sets”.   Even though there a now (at time of writing this article) still in preview, they are a very welcome addition to the Intune options available.

Added November 29th: Please make sure to also read about Guided scenario’s – a preview feature in Intune which makes it possible to create policy sets based on predefined scenarios – What are Guided Scenarios in Microsoft 365 Device Management/Intune?

Disclaimer: This post is written on Oktober 25th 2019 and reflects the state of this functionality at this point in time.

So what are policy sets?

By creating a policy set, you can group the following features into a set which you can assign to either device or user groups:

• App configuration policies
• App protection policies
• Device configuration profiles
• Device compliance policies
• Device type restrictions
• Windows autopilot deployment profiles
• Enrollment status page

The functionality that policy sets provide is partly available in the Security Baselines Microsoft is providing already. Because in the end, the Microsoft Security Baseline for Windows 10 for example is nothing more than a combination of Device Configuration Profiles.

So how to we create a Policy Set within Intune?

The policy set functionality can be found under Devices in the new setup of the Intune portal. Go to Devices and choose Policy sets (Preview)

You can create a policy set, by clicking on “+ Create” on the Policy sets page, which will start a wizard guiding you to creating your first policy set

Under Application Management you can add the following items:

Under Device Management you can add the following items:

Under Device enrollment you can add the following items:

• Enrollment status pages

Under assignment you can assign the policy set to All users, All devices, All users and all devices or selected groups. You can also specify groups to exclude. Not that you cannot determine if the policy set is available or required, that is determined by the individual setting.

From this point forward you can then create the policy set.

Policy sets are a welcome addition to the Intune functionality. Personally I would like the Security Baselines to be implemented as Policy sets as well, in order to give us more flexibility to work with the baselines. What’s missing from policy sets is the compliance reporting available in the Security baseline information. All of this can change ofcourse since the Policy sets are still in preview.

Before you start working with Policy Sets, please check for the known issues: https://docs.microsoft.com/en-us/intune/fundamentals/policy-sets#policy-sets-known-issues

3 thoughts on “ What are Intune Policy Sets? ”

• Pingback: What are Guided Scenarios in Microsoft 365 Device Management/Intune? | Modern Workplace Blog
• Pingback: Designing and building your Microsoft Endpoint Manager/Intune environment for Operations | Modern Workplace Blog
• Pingback: Updating your Security baselines in Microsoft Endpoint Manager to a newer version | Modern Workplace Blog

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Privacy Overview

• Interview Training
• On Job Support
• Become an Trainer

Login/Sign Up

Intune training: exploring policy sets in microsoft intune.

• December 29, 2023
• Posted by: Lara Administrator
• Category: End User Computing

Introduction

Let’s dive deep into the topic of policy sets in Microsoft Intune. Policy sets are a powerful feature that allows you to group and assign different components such as applications, configurations, and deployment processes to specific security groups. By leveraging policy sets, you can simplify your management and ensure that the right policies are applied to the right users or devices. Let’s get started!

Understanding Policy Sets

Policy sets can be thought of as collections of policies that you can assign to specific groups. It’s a convenient way to organize and manage your policies based on different scenarios. For example, you can create policy sets for your front office, back office, contact centre, and executive staff, each with different applications and configurations required.

Accessing Policy Sets in Microsoft Intune

To access policy sets in Microsoft Intune, navigate to the In Tune button in your web browser. Scroll down to find the “Policy Sets” section. If you don’t see it immediately, don’t worry. It may take a moment to load, especially if you’re using the preview version. Once loaded, you can start exploring policy sets and planning your deployments.

Creating a Policy Set

To create a policy set, simply click on the “Create” button at the top of the page. Give your policy set a name that reflects its purpose. For example, you can name it “Windows Scenario” to indicate that it is specific to Windows devices. One of the advantages of policy sets is that they are cross-platform, meaning you can apply them to different types of devices, such as iOS, Mac OS, Windows 10, and Android.

Adding Applications and Configurations to a Policy Set

Once you have created a policy set, you can start adding applications and configurations to it. Using the familiar user interface, you can select the apps and configurations that you want to include in the policy set. You can also specify whether an app or configuration is required, uninstalled, or available. This allows you to fine-tune the policies based on your specific needs.

Managing Device Compliance and Configuration

In addition to applications and configurations, policy sets also allow you to manage device compliance and configuration. You can select the device configuration and compliance policies that you want to include in a policy set. For example, you can include BitLocker, Defender, and other required configurations. By bundling all these policies together, you can easily manage and track their assignments.

Assigning Policy Sets to Groups

One important thing to remember when working with policy sets is to always assign them to specific groups. Avoid assigning policies to all users or devices, as this can lead to unintended consequences. Instead, target your policies at the user or device object level. This allows you to have more control and ensures that the policies are applied where they are needed.

Visibility and Monitoring

Policy sets provide a single pane of view where you can see all the settings assigned to a device or user. This makes it easy to track and monitor the policies that are applied. You can also pop out specific policies for quick access and configuration. It’s a great way to have visibility without having to navigate through each application or configuration individually.

Policy sets in Microsoft Intune are a valuable tool for managing and organizing your policies. With policy sets, you can simplify your management, ensure compliance, and streamline your deployments. By bundling policies together and assigning them to specific groups, you can have more control and visibility over your Intune environment. Start exploring policy sets today and take your Intune training to the next level!

Intune Training Demo

Leave a Reply Cancel reply

Secure Infrastructure Blog

by the Secure Infrastructure team at Microsoft

Microsoft Endpoint Manager – Intune – Policy Sets & Guided Scenarios

Howdy all! When working through Intune to setup configurations to be deployed to managed devices administrators may need to decide which configurations should be prioritized and applied as a standard across various device types. Historically this is achieved by uniquely assigning each item to respecitive groups and letting Intune deploy the assignments accordingly. In some cases, though, it makes sense to group configurations together and apply them as a unit to help arrive at that minimal required configuration set in a more planned and rational way. Policy Sets help you achieve exactly that. The video linked below walks through Policy Sets and demonstrates their use. The video also introduces Guided Scenarios which are different from Policy Sets but complimentary to Policy Sets.

Share this:

Leave a reply cancel reply, discover more from secure infrastructure blog.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

Modern Device Management

Jannik reinhard.

Policy sets – a cool feature

Many companies have not only a standard service, where not all PCs have the same configuration profiles, standard apps,… have. Specialized services are often needed to meet the needs of different business areas. You can copy the configuration profiles and give them the name of the service so you know which policy belongs to which service or you can use the policy sets to build own services.

What are policy sets?

Policy sets are a collection of different management objects and apps that can be grouped and assigned together. The policy set is a reference to different objects you added. This feautre was introduced at the end of 2019. More information can be found here .

What can be included in a Polcy set collection?

These following objects can be added to policy sets:

• App configuration policies
• App protection policies
• Device configuration profiles
• Device compliance policies
• Device type restrictions
• Windows autopilot deployment profiles
• Enrollment status page

Where can I find the policy sets

How can I create a policy set

• Click on Policy sets -> Policy sets
• Click Create
• Enter a name

A wizard guides you through the next steps. For this you have the following selection:

Application Management

 Device Management

Device enrollment

• Enrollment status pages
• After that you can still assign the policy set. Unfortunately no assignment filters work here.
• Click Next: Review + create

By creating the policy set, a new section “ Assignment via policy sets ” appears in the configuration profile.

Policy sets is a cool feature to get more order in the assignments. This helps e.g. to create new device classes or to group the services of different departments e.g. Security, Office, OS…

Stay healthy, Cheers Jannik

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to email a link to a friend (Opens in new window)
• Click to share on WhatsApp (Opens in new window)

2 thoughts on “ Policy sets – a cool feature ”

[…] In the following blog post I explain policy sets in detail. […]

Comments are closed.

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Assignment scopes and excluded scopes

• CSV Assignment Parameters
• Policy Exemptions

Policy Assignments

This chapter describes how Policy Assignments are handled by EPAC. Policy Assignments are the actual assignments of Policies and Policy Sets to scopes in Azure

Assignment JSON structure

Assignment JSON is hierarchical for efficient definitions, avoiding duplication (copy/paste) of JSON. Each branch of the tree is cumulative. Each tree node must include a nodeName - an arbitrary string exclusively used by EPAC to display an error location. EPAC concatenates a leading / and the nodeName entries encountered in the tree to create a "breadcrumbs" trail; therefore, we recommend that you use / to help separate the concatenated nodeName . The following partial and invalid assignment tree would create this error message.

JSON Schema

The GitHub repo contains a JSON schema which can be used in tools such as VS Code to provide code completion.

To utilize the schema add a $schema tag to the JSON file.

• Every tree branch must accumulate a definitionEntry (or definitionEntryList ), Assignment naming ( name and displayName ) and scope element.
• The elements parameters , overrides , resourceSelectors , notScope , enforcementMode , metadata , userAssignedIdentity , managedIdentityLocations , additionalRoleAssignments and nonComplianceMessages are optional.
• For Policy Sets with large numbers of included Policies you should use a spreadsheet (CSV file) to manage effects (parameterized or effect overrides ), parameters and optional nonComplianceMessages . We recommend the CSV approach for Policy Sets with more than 10 included Policies.
• EPAC continues to support deprecated elements initiativeId , initiativeName and ignoreBranch , Consider using their replacements policySetId , policySetName and enforcementMode instead.
• Role Assignments for user-assigned Managed Identities (UAMI) are not managed by EPAC, and will not generate a roles-plan.json file.
• additionalRoleAssignments are used when a resource required is not in the current scope. For example, a Policy Assignment that requires a Event Hub to be managed in a subscription not contained in the current management group.

The tree is not required to be balanced. The number of levels is not restricted; however, anything beyond 3 levels is unnecessary in real scenarios and would be difficult to read and manage as the depth increases.

Assignment Element and Metadata

Each Assignment is required to have a name which is used in it's resource id. EPAC also requires a displayName . The description is optional. For the allowed location assignment you specify the component with:

Multiple assignment naming components in a tree branch are string concatenated for each of the three fields.

Azure has a limit of 24 characters for the concatenated name string. EPAC displays an error if this limit is exceeded. Azure also has a limit of 128 characters for displayName and 512 characters for description (For additional information see Assignment Structure: Display name and description ).

Defining metadata

metadata is sometimes used to assign categories for changes. Do NOT specify EPAC-reserved elements roles and pacOwnerId . For the final metadata EPAC creates the union of instances in the entire tree branch.

Not recommended : Adding assignedBy to the metadata overrides the deployedBy value from the global-settings.jsonc file normally used for assignedBy . It defaults to "epac/$pacOwnerId/$pacSelector" .

Metadata for Role Assignments

Role assignments do not contain a metadata field. Instead, the description field is used to populate the deployedBy value. The description field is populated with the Policy Assignment Id, reason and deployedBy value. This is useful for tracking the source of the Role Assignment.

Reasons is one of:

• Role Assignment required by Policy - Policy definition(s) specify the required Role Definition Ids.
• additional Role Assignment - from filed "additionalRoleAssignments" in the Policy Assignment file.
• additional cross tenant Role Assignment - from filed "additionalRoleAssignments" with crossTenant set to $true in the Policy Assignment file.

Assigning Policy Sets or Policies

Assigning a single policy or policy set.

Each assignment assigns either a Policy or Policy Set. In EPAC this is done with a definitionEntry or a definitionEntryList . Exactly one occurrence must exist in any collated tree branch. For each entry, you need to specify one of the following:

• policyName - custom Policy. Specifying just the name allows EPAC to inject the correct definition scope.
• policySetName - custom Policy Set. Specifying just the name allows EPAC to inject the correct definition scope
• policyId - resource id for builtin Policy.
• policySetId - resource id for builtin Policy Set.

displayName is an optional field to document the entry if the Policy name is a GUID. Builtin Policies and Policy Sets use a GUID.

Assigning multiple Policies or Policy Sets

Using definitionEntryList allows you to save on copy/paste tree branches. Without it, the number of branches would need to be duplicated as many times as the list has entries.

Each entry in the list creates an Assignment at each leaf of the tree. Since assignments must have unique names at a specific scope, the Assignment naming component must be amended for each list entry. In this sub-component you can decide if you want to concatenate the string by appending or prepending them by specifying append boolean value.

In the above example one of the children (leaf node) has the following Assignment name.

This example generates two assignments at the "prod" leaf per scope:

• /providers/Microsoft.Management/managementGroups/ Contoso-Prod /providers/Microsoft.Authorization/policyAssignments/ pr-asb
• displayName = "Prod Azure Security Benchmark"
• description = "Prod Environment controls enforcement with Azure Security Benchmark Initiative."
• /providers/Microsoft.Management/managementGroups/ Contoso-Prod /providers/Microsoft.Authorization/policyAssignments/ pr-nist-800-53-r5
• displayName = "Prod NIST SP 800-53 Rev. 5"
• description = "Prod Environment controls enforcement with NIST SP 800-53 Rev. 5 Initiative."

scope is required exactly once in each tree branch. Excluded scopes ( notScope ) are cumulative from global-settings.json and the entire tree branch; however, once a scope is defined notScope may not be defined at any child node.

Both scope and notScope are specific to an EPAC Environment using the pacSelector name , e.g., epac-dev and tenant .

notScope works the same. In addition "*" means all EPAC Environments.

Managed Identities and role assignments

Policies with a DeployIfNotExists or Modify effect need a Managed Identity (MI) and role assignments to execute remediation task. EPAC calculates the necessary role assignments based on the roleDefinitionIds in the Policy definition. By default EPAC uses a system-assigned Manged Identity. The team maintaining EPAC recommend system-assigned identities; however, your organization may have role assignment reasons to use user-assigned Managed Identities.

Defining managedIdentityLocations

Policy assignments requiring a Managed Identity (system-assigned or user-assigned) require a location managedIdentityLocations . You must specify the location based on EPAC Environment or use "*" to use the same location for all of the EPAC Environments. You can specify them in global-settings.jsonc or at any node in the tree. The last (closest to the leaf node) is the one chosen if multiple managedIdentityLocations entries are encountered in a tree branch.

Defining optional additionalRoleAssignments

In some scenarios you will need additionalRoleAssignments ; e.g., for diagnostics settings to Event Hubs, the target resource might be in a different Management Group and therefore the Managed Identity requires additional role assignments. You must specify the additionalRoleAssignments based on EPAC Environment or use "*" to use the same additionalRoleAssignments for all of the EPAC Environments. If the pacEnvironment under deployment is specified in the additionalRoleAssignments, the "*" assignments will be ignored.

If the additional assignment is to made to a managing tenant in the sceenario where the pacEnvironment under deployment is a manganged (lighthouse) tenant, you must specify ""crossTenant": true" for that assignment. Ensure all necessary ABAC permissions are in place for the executing SPN.

User-assigned Managed Identities

Azure Policy can use a user-defined Managed Identity and EPAC allows you to use this functionality. You must specify the user-defined Managed Identity based on EPAC Environment or use "*" to use the same identity for all of the EPAC Environments (only possible in single tenant scenarios). Within each EPAC Environment entry, you can specify just the URI string indicating to use the same identity even if we are using a definitionEntryList , or in the case of a definitionEntryList can assign a different identity based on the definitionEntryList by specifying a matching policyName , policyId , policySetName or policySetId .

Defining parameters , overrides and nonComplianceMessages

Utilizing a csv file to define parameters , overrides and noncompliancemessages.

Assigning single or multiple security and compliance focused Policy Sets (Initiatives), such as Microsoft cloud security benchmark, NIST 800-53 R5, PCI, NIST 800-171, etc, with just JSON parameters becomes very complex fast. Add to this the complexity of overriding the effect if it is not surfaced as a parameter in the Policy Set . Finally, adding the optional nonComplianceMessages further increases the complexity.

To address the problem of reading and maintaining hundreds or thousands of JSON lines, EPAC can use the content of a spreadsheet (CSV) to create parameters , overrides and optionally nonComplianceMessages for a single Policy assignment definitionEntry or multiple Policy definitions ( definitionEntryList ).

This approach is best for large Policy Sets such as Azure Security Benchmark, NIST 800-53, etc. Smaller Policy Sets should still be handled with JSON parameters , overrides and nonComplianceMessages .

Implement these steps as documented in Managing Policy Assignment Parameters with a CSV file .

• Generate the CSV file form your already deployed Assignment(s) or Policy Set(s).
• Modify the effect and parameter columns for each type of environment types you will use.
• Modify the Policy Assignment file to reference the CSV file and the column prefix.
• Update the CSV file with the new effect and parameter values.

Defining parameters with JSON

parameters have a simplified JSON structure. You do not need the additional value indirection Azure requests (EPAC will inject that indirection).

Too enable definitionEntryList , parameters not present in the Policy or Policy Set definition are quietly ignored.

Advanced Elements

Defining overrides with json.

overrides are in the same format as documented by Azure . They are cumulative in each tree branch. The selectors element is only used for Assignments of Policy Sets. They are not valid for Assignments of a single Policy.

If using definitionEntryList , you must add the policyName , policyId , policySetName or policySetId as used in the definitionEntryList item.

Defining nonComplianceMessages with JSON

Assign a non-compliance message to the assignment, or individual non-compliance messages if the assignment is for an Policy Set. This value is an array of objects - each containing a message, and in the case of an initiative a policyDefinitionReferenceId. See this link for details.

If you use single definitionEntry , place them normally. If you use a definitionEntryList place them in the respective list entry.

Defining resourceSelectors

resourceSelectors may appear anywhere in the tree and are cumulative in any branch. They follow the standard Azure Format .

Defining enforcementMode

enforcementMode is similar to the deprecated ignoreBranch ; it deploys the assignment and sets the assignment to Default or DoNotEnforce . DoNotEnforce allows a what-if analysis. enforcementMode may appear anywhere in the tree. Definitions at a child override the previous setting.

Example assignment files

Simple policy assignment (allowed locations).

In the simple case an assignment is a single node with no difference in assignment , parameters , and definitionEntry across multiple scopes. In many scenarios "Allowed Locations" is such a simple Assignment. Such Assignments do not have child nodes, just the root node. Example

• nodeName is required for error messages; it's value is immaterial. EPAC concatenates them in the current tree branch.
• definitionEntry specifies that the custom Policy Set general-allowed-locations-policy-set from our starter kit. displayName has no meaning - it is for readability and in this instance is superfluous.
• assignment fields name , displayName and description are used when creating the assignment.
• This assignment has no metadata . You don't need an empty collection. EPAC will add pacOwnerId and roles metadata . Do not add them manually.
• enforcementMode is set to default - it is superfluous.
• parameters are obvious. Note: you don't add the value layer Azure inserts - EPAC takes care of that.
• During Policy resource development (called epac-dev ) the Assignment is deployed to an EPAC development Management Group Epac-Mg-1 .
• During Policy prod deployments ( tenant -wide), it is deployed to the tenant Management Group Epac-Mg-1 .
• No notScope entries are specified.

Security-Focused Policy Assignment with JSON parameters

• In the following example we named our root node ( nodeName ) /security/ . Since it is only used in case of error messages produced by EPAC during planning it's actual value doesn't matter as long as it's unique.
• We use a definitionEntryList to create two assignments at every leaf (six assignments total).
• For assignment string concatenation we append the strings in the definitionEntryList to the strings in the child nodes. You can see this best when you look at the description string in the child nodes. It will form a sentence when concatenated by append ing the definitionEntryList assignment field description .
• The parameters specified in the children are specific to the IaC environment types and their scope . Note: a real assignment would define many more parameters. The set here is abbreviated since the actual set could easily exceed a hundred entries for each of the IaC environments. We'll see in the next example how to simplify large Policy Set parameters with a CSV file.

Inverted Policy Assignment (Tag Inheritance and Required Tags)

As mentioned above sometimes it is advantageous (to reduce the number of repetitions) to turn a definition on its head:

• Common parameters , scope , definitionEntryList (with two Policies) at the root ( nodeName is /Tags/ ).
• Start of the assignment strings ( append is defaulted to false ). Again look at description which will be a concatenated sentence.
• The children define the tagName parameter and the second part of the strings for assignment . The set of parameters is the union of the root node and the child node.
• This creates six Assignments (number of Policies assigned times number of children).

Non-Compliance Messages in a Policy Definition Assignment

Non-compliance messages in a policy set definition assignment, non-compliance messages in a policy set definition assignment with a definitionentrylist.

DEV Community

Posted on Oct 31, 2022

Bicep and Azure Policy: Manage Policy and Initiative Assignment

This is the third post about Azure Policy. This time, the post will focus on policy assignments with Azure Bicep and PowerShell. Policy assignment enforces a policy and a policy set at a given scope, management group, or subscription. This is where policies are applied to target resources.

A policy Assignment object has several properties:

• A name (limited to 24 characters at the management group scope, 64 characters for other scopes)
• A location, the Azure to store the operation metadata
• A display name, limited to 128 characters
• An identity object
• A description
• The enforcement mode, either default (enforced) or DonotEnforce
• A non-compliance object. The message will be displayed when resources are not compliant with the policy.
• A not scope array, to not apply the assignment at some management group or subscriptions
• A parameters object, to apply parameters for the policy for the assignment
• The Policy definition ID, resource ID of the policy definition, or the policy set

In Bicep language

The deployment of this bicep file could be done by the New-AzManagementGroupDeployment cmdlet. But like custom policy definitions and policy sets, you will certainly be asked to not assign only one policy. How can you manage several policy assignments in one place? This is the same problem we had with deploying policies. But even if a policy assignment can be seen as a JSON document, the amount of information needed to assign a policy is limited. Instead of using one JSON file per assignment, we can create a single JSON document with all assignments, but we need to take care of the scope.

the bicep file:

This Bicep file will deploy a policy assignment. As the deployment will be made via PowerShell, we need to convert the value of the parameters and the nonComplianceMessage properties from string to JSON with the JSON function in Bicep.

All the parameters needed for the deployment are stored in a JSON document.

There is one policy to assign but two assignments in the JSON document. It’s to illustrate the power of parameters in the assignment process. You can assign the same policy, multiple times, even at the same scope, as long as the name changes and the parameters are different.

Each object in the JSON document will serve to deploy the assignment via a PowerShell script.

The script read the content of the JSON document and for each object, it extracts the variable needed to deploy the bicep file. But there is a difficulty, the bicep nonComplianceMessages require a JSON array, but most of the time there will be only one message or no message at all (multiple messages are only used for policy set). And if there is only one message (or none) you will not end up with a JSON array, but a simple JSON object, so a modification is needed.

To deploy, simply run the deployAssignment.ps1 from its folder. You can add the "location" parameter to adjust the azure region for your needs.

You can find the related PwSh/Bicep code here

Top comments (0)

Templates let you quickly answer FAQs or store snippets for re-use.

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

Rejection to Reinvention: A Story of Knowing Your Worth!

Akash Mahapatra - Aug 29

Docker 2024: A Beginner’s Guide to Containerization [With Free Coupon]

S3CloudHub - Aug 29

How to Create a Build Pipeline in Azure DevOps: A Step-by-Step Guide[2024]

Advanced Playwright Testing: Leveraging the Page Object Model (Part 2)

Samuel Kinuthia - Aug 28

We're a place where coders share, stay up-to-date and grow their careers.

Intune Policy Sets Collection of Workflows Admin Friendly MEM

Intune policy sets give a user-friendly experience to Intune admins . The screenshots are taken from the Ignite session slides and demos by Paul Mayfield, Terrell Cox, and Micro-Scott.

More details about the session details and recording are in the below section of the post.

Ignite 2019 Coverage

• Microsoft Endpoint Management SCCM Intune Windows Updates
• Microsoft Endpoint Manager is the future of SCCM Intune MEMMI MEMCM
• iOS Android macOS Mobile Enrollment Options with Intune
• Basics of Windows Dynamic Update Explained Update Management
• WVD End User Experience Availability Updates
• MSIX Updates from Ignite Reliability Network Disk-space
• Microsoft Learning Certification Exams Updates
• On-Prem WVD Options Azure Quantum Qualys Scan Integration
• Intune Reporting Strategies Advanced Reporting
• Intune Endpoint Security Policies Enhancements
• Intune Policy Sets Collection of Workflows

Intune Policy Sets

Intune policy sets and guided scenarios are helpful for new admins. They don’t have to search for each function within Microsoft Endpoint Manager/Intune portals, and the guided scenarios provide the best admin experience.

Sign up to get the best of How To Manage Devices straight to your inbox!

You can use policy sets to:

• Create Standard configurations
• Get up and running quickly (less learning curve for non-Intune admins)
• Group objects that need to be assigned together
• Assign your organization’s minimum configuration requirements on all managed devices
• Assign commonly used or relevant apps to all users
• Collection or group of workflows from Intune
• Assign to an Azure AD group and report aggregate

Intune Policy Set Configurations

Device Management portal (Microsoft Endpoint Manager)

https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/PolicySetMenuBlade/overview

Select the following groups of workflows

• Apps – Select one or more apps from the list of available apps
• App configuration policies – Select one or more Intune App configuration Policies
• App protection policies – Select one or more Intune APP

• Device configuration profiles – Select device configuration profiles
• Device compliance policies – Select the compliance policies you want to be part of the policy set
• Device type restrictions – Select the device type conditions to be part of the policy set

Select Device Enrollment workflows

• Windows autopilot deployment profiles
• Enrollment status page

Select Azure AD Device or User Groups and complete the Intune policy set assignment.

• Microsoft Endpoint Manager, including Microsoft Intune and Configuration Manager – https://myignite.techcommunity.microsoft.com/sessions/83532
• Use policy sets to group collections of management objects
• Policy Sets Known Issues

We are on WhatsApp . To get the latest step-by-step guides and news updates, Join our Channel.  Click here  – HTMD WhatsApp .

Anoop C Nair  is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

[Examples] Set parameter values for Policy Assignments

This page describes how to set custom parameter values for Policy Assignments created by the module.

By default, the module will create Policy Assignments with parameter values set to recommended defaults. These defaults usually come from the defaultValue set within a Policy Definition. For policies which require a parameter value to be specified (or where our recommended setting differs from the default), the module automatically sets the value based on various inputs to the module. We refer to these as "managed Policy Assignments", and these typically cover scenarios where the output of a resource created by the module must be used as an input to a Policy Assignment.

An example of this is the Deploy-MDFC-Config Policy Assignment, which takes a number of parameter values from either user-specified inputs (e.g. emailSecurityContact ) or from resources created by the module (e.g. logAnalytics ).

Customers wanting to create additional or change existing Policy Assignment parameter values should consider the following options:

• Setting a defaultValue for parameters within a Policy Definition template View Policy Definition templates included with the module
• Setting a value for parameters within a Policy Assignment template View Policy Assignment templates included with the module
• Setting parameter key/value pairs within an Archetype Definition template View Archetype Definition templates included with the module
• Setting parameter key/value pairs within the archetype_config_overrides or custom_landing_zones input variable

NOTE: The module will set values based on the above options in order. As you move down the list, each of the above options will take precedence over the others. If you want to change one parameter value for a specific Policy Assignment, you must set all required values using the preferred option or the assignment will revert to the defaultValue specified within the Policy Definition template. If the parameter doesn't have a defaultValue within the Policy Definition and you don't provide a value, creation of the assignment will fail. This is particularly important to consider if changing the value of parameters for a "managed Policy Assignment".

Before overriding the parameters, you need to know three properties:

• Policy Assignment name to override (e.g. Deny-Subnet-Without-Nsg ).
• The scope where the policy assignment is deployed. This could be either the archetype_id (e.g. es_corp , es_landing_zones , etc.) or the Management Group (e.g. corp , landing-zones , etc.).
• The parameter name(s) you would like to change (e.g. effect or ACRPublicIpDenyEffect ) and their corresponding value(s).

The following sections provide examples showing how to update parameters using each of the available options.

Option: Policy Definition template

Please refer to the Microsoft documentation for setting a defaultValue for parameters within a Policy Definition template.

This approach can be used when adding new custom Policy Definitions to a custom lib folder, as specified by the library_path input variable.

NOTE: Whilst possible, we don't recommend using this approach if you want to set different values for custom Policy Definitions provided by the module.

Option: Policy Assignment template

Please refer to the Microsoft documentation for setting a value for parameters within a Policy Assignment template.

This approach can be used when adding new custom Policy Assignments to a custom lib folder, as specified by the library_path input variable.

NOTE: Whilst possible, we don't recommend using this approach if you want to set different values for custom Policy Assignments provided by the module.

Parameter values set at this scope will override those set within a Policy Definition template.

Option: Archetype definition template

When you create a custom archetype definition, you can set parameters within the archetype_config.parameters object.

Parameters are grouped by Policy Assignment name .

In the following example, you can see we define a custom archetype definition called my_archetype . Within this archetype definition, we create a Policy Assignment for Deny-Resource-Locations and set a custom value for the parameter listOfAllowedLocations :

NOTE: The parameters must correspond to a Policy Assignment created at the same scope. This is why the example includes this policy in the policy_assignments list.

If you want to expand an existing archetype , you can also use the same format.

In the following example we use the archetype extension approach to set the effect parameter for the Deny-Subnet-Without-Nsg Policy Assignment to Audit for the default es_landing_zones archetype definition:

Parameter values set at this scope will override those set within a Policy Definition template or Policy Assignment template.

Option: archetype_config_overrides input variable

Parameters of Policy Assignments included with the module can be changed with the archetype_config_overrides input variable.

In this example, we will update parameters for the Deny-Subnet-Without-Nsg and Deny-Public-Endpoints Policy Assignments.

Let's say you would like to update the policy effects for those policies. First, it's important to understand where the policy is assigned. If the policy is assigned to landing zones, the landing-zones archetype needs to be overwritten. When the policy is assigned to corp, the corp , archetype needs to be overwritten.

The following shows how you would do this using the archetype_config_overrides input variable:

Option: custom_landing_zones input variable

In case you define a custom_landing_zones block, you can update the parameters in the following way:

This wiki is being actively developed

If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request . The wiki docs are located in the repository in the docs/wiki/ folder.

Azure landing zones Terraform module

• Getting started
• Module outputs
• Module permissions
• Module variables
• Module releases
• Module upgrade guidance
• Provider configuration
• Archetype definitions
• Core resources
• Management resources
• Connectivity resources
• Identity resources
• Video guides
• Deploy default configuration
• Deploy demo landing zone archetypes
• Deploy custom Landing Zone Archetypes
• Deploy connectivity resources (Hub and Spoke)
• Deploy connectivity resources (Virtual WAN)
• Deploy identity resources
• Deploy management resources
• Assign a built-in policy
• Create and assign custom RBAC roles
• Set parameter values for Policy Assignments
• Deploy multi region networking with custom settings (Hub and Spoke)
• Deploy multi region networking with custom settings (Virtual WAN)
• Deploy with Zero Trust network principles (Hub and Spoke)
• Deploy identity resources with custom settings
• Deploy management resources with custom settings
• Expand built-in archetype definitions
• Create custom policies, initiatives and assignments
• Override module role assignments
• Control policy enforcement mode
• Policy assignments with user assigned managed identities
• Deploy using module nesting
• Deploy using multiple module declarations with orchestration
• Deploy using multiple module declarations with remote state
• Frequently Asked Questions
• Troubleshooting
• Raising an issue
• Feature requests
• Contributing to code
• Contributing to documentation

Clone this wiki locally

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Accessing and assigning policies inside a policy initiative in Azure using Terraform

I have a policy initiative in Azure, consisting of multiple policies, say 30 of them together. I mean inside the policy initiative, there are 30 policies. Now, owing to terraform's azurerm_policy_set_definition, (or we can assume the policy initiative definition to already exist as well) the entire policy initiative set can be assigned using the policy_assignment block where one can pass :

Now my question is, what if I want to assign selectively among these total of 30 policies in the initiative based on some condition...for example I wish to exclude some 5 policies, (all of their separate ids are present in the initiative). I'm new to terraform and thus, it may be said that I'm looking for a kind of an "IN" equivalent w.r.t other programming languages.

Like talking of a "pythonic way", if we had an array of numbers L=[ 10, 3, 4, 5, 6, 200 ], we can access elements of this array as L[i] and check a number,x for existence in the array through " if x in L "...

In a similar way, could anyone please help me on whether policies which are members of a policy initiative set, can be accessed individually in Terraform ( for instance like in a loop through an array ) and then deployed to azure through a policy_assignment block if they meet a set of conditions ?

• terraform-provider-azure
• azure-policy

• Can you provide example of your azurerm_policy_set_definition ? You have thirty sets? –  Marcin Commented Feb 15, 2021 at 12:32
• Hii @Marcin...there exists a single policy initiative in azure and it has 30 policies defined therein. And when I pass the id of that initiative to the assignment block, the entire initiative gets assigned with 30 inside.I now want to access each of these 30 individually. –  Swarnabja Bhaumik Commented Feb 15, 2021 at 12:57
• @Marcin, it may also be thought that the policy initiative pre-exists like we really don't need to write a azurerm_policy_set_definition for it at the moment. My doubt is regarding assignment and while the entire initiative gets assigned with a single policy_assignment block, my question is can we assign selectively...like a hypothetically desired subset of the 30 policies belonging to the initiative ? –  Swarnabja Bhaumik Commented Feb 15, 2021 at 13:20
• Just like policy initiatives in azure are a group or collection of policies, I want to access each them individually using terraform in a kind of a loop based mechanism, is that possible @Marcin –  Swarnabja Bhaumik Commented Feb 15, 2021 at 14:53

Know someone who can answer? Share a link to this question via email , Twitter , or Facebook .

Your answer.

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Browse other questions tagged azure terraform terraform-provider-azure azure-policy or ask your own question .

• The Overflow Blog
• Where does Postgres fit in a world of GenAI and vector databases?
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• How can judicial independence be jeopardised by politicians' criticism?
• I overstayed 90 days in Switzerland. I have EU residency and never got any stamps in passport. Can I exit/enter at airport without trouble?
• How much missing data is too much (part 2)? statistical power, effective sample size
• Can I use a JFET if its drain current exceeds the Saturation Drain Current from the datasheet (or is my JFET faulty)?
• Why are complex coordinates outlawed in physics?
• How to reply to reviewers who ask for more work by responding that the paper is complete as it stands?
• How did Oswald Mosley escape treason charges?
• The size of elementary particles
• What are some refutations to the etymological fallacy?
• Which programming language/environment pioneered row-major array order?
• Should I report a review I suspect to be AI-generated?
• What would be non-slang equivalent of "copium"?
• Manifest Mind vs Shatter
• If inflation/cost of living is such a complex difficult problem, then why has the price of drugs been absoultly perfectly stable my whole life?
• A very interesting food chain
• What explanations can be offered for the extreme see-sawing in Montana's senate race polling?
• What is the difference between a "Complaint for Civil Protection Order" and a "Motion for Civil Protection Order"?
• Stuck on Sokoban
• Has a tire ever exploded inside the Wheel Well?
• Two way ANOVA or two way repeat measurement ANOVA
• Reusing own code at work without losing licence
• Who was the "Dutch author", "Bumstone Bumstone"?
• Is Intuition Indispensable in Mathematics?
• Using Thin Lens Equation to find how far 1972 Blue Marble photo was taken

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Microsoft.Authorization policyAssignments

• 1 contributor

Bicep resource definition

The policyAssignments resource type is an extension resource , which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep .

The policyAssignments resource type can be deployed with operations that target:

• Resource groups - See resource group deployment commands
• Subscriptions - See subscription deployment commands
• Management groups - See management group deployment commands

For a list of changed properties in each API version, see change log .

Resource format

To create a Microsoft.Authorization/policyAssignments resource, add the following Bicep to your template.

Property values

Policyassignments.

IdentityUserAssignedIdentities

UserAssignedIdentitiesValue

This object doesn't contain any properties to set during deployment. All properties are ReadOnly.

PolicyAssignmentProperties

NonComplianceMessage

ParameterValues

Parametervaluesvalue.

ResourceSelector

Quickstart templates

The following quickstart templates deploy this resource type.

ARM template resource definition

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates .

To create a Microsoft.Authorization/policyAssignments resource, add the following JSON to your template.

Terraform (AzAPI provider) resource definition

Use the parent_id property on this resource to set the scope for this resource.

• Resource groups
• Subscriptions
• Management groups

To create a Microsoft.Authorization/policyAssignments resource, add the following Terraform to your template.

Was this page helpful?

Additional resources