Menu Close

Azure Policy | Custom Policy

Reading Time: 2 minutes

Hi all, welcome to another blog post.

This one is about custom policies. In case you missed the introduction to Azure Policy, here it is. Custom policies can help an organisation where the built-in policies are not sufficient. Just to demonstrate how easy it is to create a custom policy, lets create one. First create a resource group:

This resource group will contain all the production network security groups (NSGs) in West Europe. With the built-in policy definition called ‘Allowed resource types’ you can restrict that only NSGs can be deployed in this resource group. But lets say we want to control the naming of the NSGs, this we need to accomplish with custom policies. I can try to explain how a custom policy definition structure is built, but this is already done by Microsoft here.

In the Azure Policy samples repository there are a lot of custom policy examples. For this example I have used the sample ‘enforce-match-pattern’.  The nice thing in the repository that there is also a powershell script that provides you the information, how to deploy the policy definition. Lets create a definition:

When the deployment of the policy definition is done, we need to assign this to the resource group that we have created earlier. Because the example policy definition has a ‘namePattern’ field which require a parameter we have to provide the parameter ‘namePattern’ (sounds logical right?). In this blog I have chosen for the naming pattern ‘JDJ-EUW-PRD-??????-NSG-###’. The ??? stands for characters and the ### for numbers. Remember that the number of question marks or hashtags are the number of characters or numbers you need to define.

In a naming convention there probably will be some rules about how a company will use an abbreviation for regions, or resources like network security groups. At this moment it is not possible to create custom rule for this rules. Lets assign the policy definition to the resource group we created earlier.

After assignment, the resource group is ‘protected’ by the custom policy. Now we need to test the policy to see if it works. First we will create a NSG with a naming pattern that is not compliant to the policy.

This deployment will fail, now lets create a NSG with a compliant naming convention.

This deployment will pass. This was just a quick post about custom policies.
Keep posted for updates!


  1. Norman Punge

    Hi there,

    thanks for this nice article. While trying this out I asked myself how you would set several Policy Definitions on a Resource Group or better on the subscription level. Normally there is more than one kind of resources and if I really want to enforce a naming pattern for the company I’ll establish it at the top level for all the resources which can be deployed.

    Best Regards,

    • John de Jager

      The way to set several policy definitions is to use a initiative policy. For naming patterns there is a way you can enforce a resource type to have a specific name. For example:
      “type”: “Microsoft.Authorization/policyDefinitions”,
      “name”: “enforce-naming-subnet-policyDef”,
      “properties”: {
      “displayName”: “Enforce Naming – Subnet”,
      “description”: “This policy enforces the correct naming of resources.”,
      “metadata”: {
      “category”: “Regulatory Compliance”
      “parameters”: {},
      “policyRule”: {
      “if”: {
      “allOf”: [
      “field”: “type”,
      “equals”: “Microsoft.Network/virtualNetworks/subnets”
      “not”: {
      “anyOf”: [
      “field”: “name”,
      “match”: “EUW-S##-???-VNET-##-SNT-????-##”
      “field”: “name”,
      “match”: “EUN-S##-???-VNET-##-SNT-????-##”

      “then”: {
      “effect”: “deny”

  2. reddy

    Hi, Thank you very much for writing the policy and I tried it is actually working as expected but I tried to add the users and trying to assign the user roles as they belong to then the naming pattern policy is restricting me to add by saying the customized policy match naming pattern.

    Can you guide me?


Leave a Reply

Your email address will not be published.