Document Details

Create Policy Definition
Home / Scan 41 / Create Policy Definition
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation is heavily biased towards Windows and PowerShell. All code examples use PowerShell, and Windows-specific tools and paths are referenced exclusively. Even when the documentation mentions Linux support, no Linux-specific examples, shell commands, or file paths are provided. Windows is always listed first in parameters and examples, and the only example of a managed identity scenario uses a Windows file path.
Recommendations:
  • Provide equivalent Linux/Bash examples alongside PowerShell, especially for steps involving package creation, uploading, and policy definition.
  • Include Linux file path examples (e.g., /home/user/package.zip) where Windows paths (e.g., C:\Local\Path\To\Package) are shown.
  • Demonstrate use of Azure CLI for relevant steps, not just PowerShell, to ensure cross-platform usability.
  • Explicitly mention and show how to set up the authoring environment on Linux, including required dependencies and commands.
  • When referencing parameters like Platform, alternate the order (Windows/Linux) or show both in examples.
  • Clarify any differences or limitations for Linux users, and provide troubleshooting tips specific to Linux environments.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-07-12 23:44 #41 in_progress ❌ Biased
2025-07-12 00:58 #8 cancelled ✅ Clean
2025-07-10 05:06 #7 processing ✅ Clean

Flagged Code Snippets

For this scenario, you need to disable the **Allow Blob anonymous access** setting and assign the role **Storage Blob Data Reader** on the storage account to the identity. > [!NOTE] > You can retrieve the resourceId of a managed identity using the `Get-AzUserAssignedIdentity` > PowerShell cmdlet. The cmdlet output returns an object containing the definition display name and path of the policy files. Definition JSON files that create audit policy definitions have the name `auditIfNotExists.json` and files that create policy definitions to apply configurations have the name `deployIfNotExists.json`. #### Filtering machine configuration policies using tags The policy definitions created by cmdlets in the **GuestConfiguration** module can optionally include a filter for tags. The **Tag** parameter of `New-GuestConfigurationPolicy` supports an array of hash tables containing individual tag entries. The tags are added to the **if** section of the policy definition and can't be modified by a policy assignment. An example snippet of a policy definition that filters for tags follows.
#### Using parameters in custom machine configuration policy definitions Machine configuration supports overriding properties of a DSC Configuration at run time. This feature means that the values in the MOF file in the package don't have to be considered static. The override values are provided through Azure Policy and don't change how the DSC Configurations are authored or compiled. Machine configuration supports the following value types for parameters: - String - Boolean - Double - Float The cmdlets `New-GuestConfigurationPolicy` and `Get-GuestConfigurationPackageComplianceStatus` include a parameter named **Parameter**. This parameter takes a hash table definition including all details about each parameter and creates the required sections of each file used for the Azure Policy definition. The following example creates a policy definition to audit a service, where the user selects from a list at the time of policy assignment.
## Policy requirements for machine configuration The policy definition **metadata** section must include two properties for the machine configuration service to automate provisioning and reporting of guest configuration assignments. The **category** property must be set to `Guest Configuration` and a section named **guestConfiguration** must contain information about the machine configuration assignment. The `New-GuestConfigurationPolicy` cmdlet creates this text automatically. The following example demonstrates the **metadata** section that's automatically created by `New-GuestConfigurationPolicy`.
If the definition effect is set to `DeployIfNotExists`, the **then** section must contain deployment details about a machine configuration assignment. The `New-GuestConfigurationPolicy` cmdlet creates this text automatically. ### Create an Azure Policy definition Once a machine configuration custom policy package has been created and uploaded, create the machine configuration policy definition. The `New-GuestConfigurationPolicy` cmdlet takes a custom policy package and creates a policy definition. The **PolicyId** parameter of `New-GuestConfigurationPolicy` requires a unique string. A globally unique identifier (GUID) is required. For new definitions, generate a new GUID using the `New-GUID` cmdlet. When making updates to the definition, use the same unique string for **PolicyId** to ensure the correct definition is updated. Parameters of the `New-GuestConfigurationPolicy` cmdlet: - **PolicyId**: A GUID. - **ContentUri**: Public HTTP(s) URI of machine configuration content package. - **DisplayName**: Policy display name. - **Description**: Policy description. - **Parameter**: Policy parameters provided in a hash table. - **PolicyVersion**: Policy version. - **Path**: Destination path where policy definitions are created. Don't specify this parameter as the path to a local copy of the package. - **Platform**: Target platform (Windows/Linux) for machine configuration policy and content package. - **Mode**: (case sensitive: `ApplyAndMonitor`, `ApplyAndAutoCorrect`, `Audit`) choose if the policy should audit or deploy the configuration. The default is `Audit`. - **Tag**: Adds one or more tag filters to the policy definition. - **Category**: Sets the category metadata field in the policy definition. - **LocalContentPath**: The path to the local copy of the `.zip` Machine Configuration package file. This parameter is required if you're using a User Assigned Managed Identity to provide access to an Azure Storage blob. - **ManagedIdentityResourceId**: The `resourceId` of the User Assigned Managed Identity that has read access to the Azure Storage blob containing the `.zip` Machine Configuration package file. This parameter is required if you're using a User Assigned Managed Identity to provide access to an Azure Storage blob. - **ExcludeArcMachines**: Specifies that the Policy definition should exclude Arc machines. This parameter is required if you are using a User Assigned Managed Identity to provide access to an Azure Storage blob. > [!IMPORTANT] > Unlike Azure VMs, Arc-connected machines currently do not support User Assigned Managed > Identities. As a result, the `-ExcludeArcMachines` flag is required to ensure the exclusion of > those machines from the policy definition. For the Azure VM to download the assigned package and > apply the policy, the Guest Configuration Agent must be version `1.29.82.0` or higher for Windows > and version `1.26.76.0` or higher for Linux. For more information about the **Mode** parameter, see the page [How to configure remediation options for machine configuration][02]. Create a policy definition that **audits** using a custom configuration package, in a specified path:
### Publish the Azure Policy definition Finally, you can publish the policy definitions using the `New-AzPolicyDefinition` cmdlet. The below commands publish your machine configuration policy to the policy center. To run the `New-AzPolicyDefinition` command, you need access to create policy definitions in Azure. The specific authorization requirements are documented in the [Azure Policy Overview][07] page. The recommended built-in role is `Resource Policy Contributor`.