ARM Location Policy


Not only are Tags brilliant for Role Based Access Control, but if you integrate ARM Policies you can enforce it so that resources can only be deployed into certain locations, anything that is outside of the Policy, will instantly fail

Using ARM Policies can limit which geo-political regions resources can be deployed into, this is perfect for business who have very strict data sovereignty rules which want to keep Azure resources into a particular country

There are a few other ways Polices come in handy;

  1. If you wish to restrict which resources or resource types that get deployed,
  2. Enforce standard naming conventions throughout resources,
  3. Or for only ARM resources that have a tag, are to be successfully deployed, otherwise that will fail

The structure is heavily built around JavaScript Object Notation (JSON)  & can be deployed using PowerShell

I will show you how to create a simple ARM Policy to lock down a Resource Group to 2 Locations

Below is a JSON file, which will allow any resources to be deployed to either West Europe or North Europe (you can change the “in” values to what ever region you wish)

 "if": {
 "not": {
 "field": "location",
 "in": ["westeurope", "northeurope" ]
 "then": {
 "effect": "deny"

I have stored this on my desktop, for easy access when calling the .json through PowerShell

Open PowerShell ISE, copy & paste the code below, changing the $policyFile location & the name of the Resource Group to your choosing


$policyName = 'policyLocationDefinition'
$policyAssignment = 'policyLocationAssignment'
$policyFile = 'C:\Users\Craig\Desktop\policyLocation.json'

New-AzureRmPolicyDefinition `
 -Name $policyName `
 -Policy $policyFile `

$resourceGroup = Get-AzureRmResourceGroup -Name 'RG-AD'
$policy = Get-AzureRmPolicyDefinition -Name $policyName

New-AzureRmPolicyAssignment `
 -Name $policyAssignment `
 -PolicyDefinition $policy `
 -Scope $resourceGroup.ResourceId `


After you’ve ran the code, login to the ARM Portal, and try and deploy a Resource, if successful, if will fail and you should get the below error.
























Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s