Manage Azure policy using the Azure Stack Hub policy module
The Azure Stack Hub policy module enables you to configure an Azure subscription with the same versioning and service availability as Azure Stack Hub. The module uses the New-AzPolicyDefinition PowerShell cmdlet to create an Azure policy, which limits the resource types and services available in a subscription. You then create a policy assignment within the appropriate scope by using the New-AzPolicyAssignment cmdlet. After configuring the policy, you can use your Azure subscription to develop apps targeted for Azure Stack Hub.
Note
The Azure Stack Hub policy module is intended to be used in public Azure as a test for deployment to Azure Stack Hub.
Install the module
Install the required version of the Az PowerShell module, as described in Step 1 of Install PowerShell for Azure Stack Hub.
Import the AzureStack.Policy.psm1 module:
Import-Module .\Policy\AzureStack.Policy.psm1
Apply policy to Azure subscription
You can use the following commands to apply a default Azure Stack Hub policy to your Azure subscription. Before running these commands, replace Azure subscription name with the name of your Azure subscription.
Connect-AzAccount
$s = Select-AzSubscription -SubscriptionName "Azure subscription name"
$policy = New-AzPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID
Apply policy to a resource group
You might want to apply policies that are more granular. For example, you might have other resources running in the same subscription. You can scope the policy application to a specific resource group, which enables you to test your apps for Azure Stack Hub using Azure resources. Before running the following commands, replace Azure subscription name with the name of your Azure subscription:
Connect-AzAccount
$rgName = 'myRG01'
$s = Select-AzSubscription -SubscriptionName "Azure subscription name"
$policy = New-AzPolicyDefinition -Name AzureStackPolicyDefinition -Policy (Get-AzsPolicy)
$subscriptionID = $s.Subscription.SubscriptionId
New-AzPolicyAssignment -Name AzureStack -PolicyDefinition $policy -Scope /subscriptions/$subscriptionID/resourceGroups/$rgName
Policy in action
Once you've deployed the Azure policy, you receive an error when you try to deploy a resource that is prohibited by policy:
