Version: Next

Task 02: Apply Azure Policy Initiatives

DOCUMENT CATEGORY: Runbook SCOPE: Azure Policy configuration PURPOSE: Apply governance and compliance policies MASTER REFERENCE: Microsoft Learn - Azure Policy

Status: Active

Azure Policy enforces organizational standards and assesses compliance at scale. This step applies policy initiatives specifically designed for Azure Local deployments, including security baselines and governance policies.

Policy Initiatives vs Individual Policies

Policy Initiatives (also called policy sets) group related policies together. For Azure Local, Microsoft provides built-in initiatives that bundle recommended security configurations.

Overview

Initiative	Scope	Purpose
Azure Security Benchmark	Management Group	Comprehensive security controls aligned to industry standards
Azure Local Security Baseline	Subscription	Microsoft-recommended configurations for Azure Local
Guest Configuration	Resource Group	In-guest policy enforcement for Windows/Linux
Tagging Governance	Subscription	Enforce required tags for cost management

Prerequisites

Azure subscription with Owner or Policy Contributor role
Management groups configured (if applying at MG scope)
Log Analytics workspace for compliance data

Variables from variables.yml

Variable	Config Path	Example
`AZURE_SUBSCRIPTION_ID`	`azure.subscription.id`	`00000000-0000-0000-0000-000000000000`
`AZURE_RESOURCE_GROUP`	`azure.resource_group.name`	`rg-azurelocal-prod-eus2`
`AZURE_REGION`	`azure.resource_group.location`	`eastus2`

Procedure

Azure Portal
Direct Script (On Node)
Standalone Script

Assign Azure Security Benchmark

Navigate to Azure Policy

In Azure Portal, search for Policy
Click Definitions in the left menu

Find Security Benchmark Initiative

Set Definition type to Initiative
Search for Azure Security Benchmark
Click on the initiative to view details

Assign the Initiative

Click Assign
Scope: Select your subscription or management group
Exclusions: Add any resources to exclude (optional)
Assignment name: Azure Security Benchmark - Azure Local

Configure Parameters

Review default parameters
Adjust as needed for your environment
Click Review + create
Click Create

Assign Azure Local-Specific Policies

Search for Azure Local Policies

In Policy Definitions, search for Azure Stack HCI or Azure Local
Review available built-in policies

Assign Key Policies

Audit Azure Stack HCI clusters for compliance
Configure Azure Stack HCI to use Azure Monitor Agent
Configure periodic checking for missing security updates

Create Policy Initiative (Optional)

Click Definitions → + Initiative definition
Name: Azure Local Security Baseline
Add relevant policies
Save and assign to subscription

Enable Guest Configuration

Assign Guest Configuration Initiative

Search for Guest Configuration
Find: Audit Windows machines that do not have the specified Windows PowerShell execution policy
Assign to your resource group containing Arc-enabled servers

Deploy Prerequisites

Assign: Deploy prerequisites to enable Guest Configuration policies on virtual machines
This installs the Guest Configuration extension on VMs

# Variables
$subscriptionId = "<your-subscription-id>"
$resourceGroup = "rg-azurelocal-prod-eastus2"
$location = "eastus2"

# Set subscription context
az account set --subscription $subscriptionId

# Get Azure Security Benchmark initiative definition
$securityBenchmarkId = az policy set-definition show `
 --name "1f3afdf9-d0c9-4c3d-847f-89da613e70a8" `
 --query id -o tsv

# Assign Azure Security Benchmark at subscription level
az policy assignment create `
 --name "AzureSecurityBenchmark-AzureLocal" `
 --display-name "Azure Security Benchmark - Azure Local" `
 --policy-set-definition $securityBenchmarkId `
 --scope "/subscriptions/$subscriptionId" `
 --enforcement-mode Default

Write-Host "✅ Azure Security Benchmark assigned" -ForegroundColor Green

# Assign tagging policy - Require tag on resources
az policy assignment create `
 --name "RequireEnvironmentTag" `
 --display-name "Require Environment Tag on Resources" `
 --policy "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99" `
 --scope "/subscriptions/$subscriptionId" `
 --params '{"tagName": {"value": "Environment"}}' `
 --enforcement-mode Default

Write-Host "✅ Tagging policy assigned" -ForegroundColor Green

# Assign Guest Configuration prerequisites
az policy assignment create `
 --name "DeployGuestConfigPrereqs" `
 --display-name "Deploy Guest Configuration Prerequisites" `
 --policy "/providers/Microsoft.Authorization/policyDefinitions/12794019-7a00-42cf-95c2-882ebb9fa717" `
 --scope "/subscriptions/$subscriptionId" `
 --mi-system-assigned `
 --location $location

Write-Host "✅ Guest Configuration prerequisites assigned" -ForegroundColor Green

# Variables
$subscriptionId = "<your-subscription-id>"
$location = "eastus2"

# Connect and set context
Connect-AzAccount
Set-AzContext -SubscriptionId $subscriptionId

# Get Azure Security Benchmark initiative
$securityBenchmark = Get-AzPolicySetDefinition | Where-Object {
 $_.Properties.DisplayName -like "*Azure Security Benchmark*"
} | Select-Object -First 1

if ($securityBenchmark) {
 # Assign Azure Security Benchmark
 $assignmentParams = @{
 Name = "AzureSecurityBenchmark"
 DisplayName = "Azure Security Benchmark - Azure Local"
 PolicySetDefinition = $securityBenchmark
 Scope = "/subscriptions/$subscriptionId"
 EnforcementMode = "Default"
 }
 
 New-AzPolicyAssignment @assignmentParams
 Write-Host "✅ Azure Security Benchmark assigned" -ForegroundColor Green
} else {
 Write-Host "⚠️ Azure Security Benchmark initiative not found" -ForegroundColor Yellow
}

# Assign tag enforcement policy
$tagPolicy = Get-AzPolicyDefinition -Id "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99"

$tagParams = @{
 Name = "RequireEnvironmentTag"
 DisplayName = "Require Environment Tag"
 PolicyDefinition = $tagPolicy
 Scope = "/subscriptions/$subscriptionId"
 PolicyParameterObject = @{
 tagName = "Environment"
 }
}

New-AzPolicyAssignment @tagParams
Write-Host "✅ Tag enforcement policy assigned" -ForegroundColor Green

# Assign Guest Configuration prerequisites (with managed identity)
$guestConfigPolicy = Get-AzPolicyDefinition -Id "/providers/Microsoft.Authorization/policyDefinitions/12794019-7a00-42cf-95c2-882ebb9fa717"

$guestConfigParams = @{
 Name = "DeployGuestConfigPrereqs"
 DisplayName = "Deploy Guest Configuration Prerequisites"
 PolicyDefinition = $guestConfigPolicy
 Scope = "/subscriptions/$subscriptionId"
 Location = $location
 IdentityType = "SystemAssigned"
}

New-AzPolicyAssignment @guestConfigParams
Write-Host "✅ Guest Configuration prerequisites assigned" -ForegroundColor Green

Write-Host "`n✅ Policy initiatives assigned successfully" -ForegroundColor Green

Validation

# Check policy assignments
$assignments = Get-AzPolicyAssignment -Scope "/subscriptions/$subscriptionId"
Write-Host "Policy Assignments:" -ForegroundColor Cyan
$assignments | Format-Table DisplayName, EnforcementMode -AutoSize

# Check compliance state (may take up to 24 hours for initial scan)
$complianceStates = Get-AzPolicyState -SubscriptionId $subscriptionId -Top 10
Write-Host "`nRecent Compliance States:" -ForegroundColor Cyan
$complianceStates | Group-Object ComplianceState | Format-Table Name, Count

Expected Output

Policy Assignments:
DisplayName EnforcementMode
----------- ---------------
Azure Security Benchmark - Azure Local Default
Require Environment Tag Default
Deploy Guest Configuration Prerequisites Default

Recent Compliance States:
Name Count
---- -----
Compliant 45
NonCompliant 3
Unknown 2

Common Policies for Azure Local

Policy Name	ID	Purpose
Audit VMs without disaster recovery	0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56	Ensure DR is configured
Configure periodic checking for updates	59efceea-0c96-497e-a4a1-4eb2290dac15	Security update compliance
Deploy Log Analytics agent	053d3325-282c-4e5c-b944-24faffd30d77	Monitoring agent deployment
Require tag on resources	871b6d14-10aa-478d-b590-94f262ecfa99	Cost management tags

Troubleshooting

Issue	Cause	Resolution
Policy assignment fails with permission error	Account lacks Policy Contributor role at target scope	Assign `Resource Policy Contributor` role at the subscription or management group level
Resources remain non-compliant after remediation	Remediation task not triggered or still in progress	Check remediation task status in Policy > Remediation; create a new remediation task if needed
Policy effects not enforced on new resources	Assignment uses `Audit` instead of `Deny` effect	Update the assignment parameters to use `Deny` for enforcement; existing resources need remediation separately

Next Steps

Proceed to Task 4: Configure Security Baselines to review and remediate Defender recommendations.

Previous	Up	Next
← Task 01: Enable Defender for Cloud	Phase 04: Security & Governance	Task 03: Security Baselines →

Version	Date	Author	Changes
1.0.0	2026-03-24	Azure Local Cloudnology Team	Initial release

Overview​

Prerequisites​

Variables from variables.yml​

Procedure​

Assign Azure Security Benchmark​

Assign Azure Local-Specific Policies​

Enable Guest Configuration​

Validation​

Expected Output​

Common Policies for Azure Local​

Troubleshooting​

Next Steps​

Navigation​