Azure policy does not work for resources created by Azure Databricks

Michal Kalafarski 25 Reputation points
2024-08-23T06:27:43.78+00:00

I'm working on using a policy to automatically assign the sku.name tag to virtual machines created by Databricks. These tags are important for my team's cost management analysis.

However, I discovered in another discussion that resources marked as "managedby" (such as those created by Azure Databricks or DevOps) bypass policy evaluation.

Is there a workaround to include those resources to follow created Policy?

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,504 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,162 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
868 questions
Accepted answer
  1. Prashant Kumar 775 Reputation points Microsoft Employee
    2024-08-23T10:23:53.0366667+00:00

    Hi Michal,

    When Azure Databricks gets created, it creates a Deny Assignment on the managed resource group created by Az Databricks. You can verify that by going to Access Control(IAM).

    This Deny assignment does not allow users or even Azure policy to add/updated tags on the Azure resources which are inside that managed resource group. and not even on that managed resource as well.

    The only tagging option available for Azure Databricks is mentioned here: https://video2.skills-academy.com/en-us/azure/databricks/admin/account-settings/usage-detail-tags

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Babafemi Bulugbe 3,620 Reputation points MVP
    2024-08-23T07:08:59+00:00

    Hello Michal Kalafarski,

    Thank you for posting your query in the Microsoft Q&A Community.

    Azure resources marked as "managed by" often bypass policy evaluation, which means that the Azure Policies you create might not apply to these resources. You can work around this limitation by applying tags at the resource group level or by leveraging automation to tag resources after creation.

    Azure offers built-in policies like "Inherit a tag from the resource group if missing." These policies can automatically apply the desired tag to all resources within the resource group, including those managed by Databricks.

    https://video2.skills-academy.com/en-us/azure/governance/policy/samples/built-in-policies#tags

    User's image

    Also, you can create a Runbook or Logic App that triggers after the creation of new resources within a resource group by the databriks. The script can check if the resource has the "managed by" property and apply the necessary tags.

    Let me know if further assistance is required.

    Babafemi

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.