Azure Resource Policy advertises itself as:
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
However Policy isn’t evaluated on /delete operations — in our case our organizational standards require every subscription to have certain security and compliance resources deployed and present 24/7/365. Policy can report on this RG if it’s absent, it can create it, but cannot do anything to prevent deletion (resulting in subscription being potentially tainted).
Why isn’t Policy capable of validating that deletions don’t violate standards? Is it because Policy has no context of who is performing the action?
2
Answers
Resource Policy recently released a preview feature, DenyAction that appears to help close this gap.
In cases where you can describe a policy solely in terms of the resource (e.g. the policy is "Every Subscription must have a Resource Group named 'RG'") this should make it possible to ensure those resources remain present and compliant -- they can be deployed if not exist, and prevented from deletion.
PS) When I asked this question I wasn't aware that Azure Policy has no context of who is performing that action. In our scenario we need a policy that's effectively "Allow MG Owners to manage Resource Group 'RG' and its contents. Block Subscription Owners from managing 'RG' or its contents."
That's not possible with Policy. Deny Assignments theoretically can address this scenario, but the current preview doesn't allow them to be configured.
Currently, the above scenario isn't possible with Azure. There are alternatives/workarounds/hacks -- but nothing intrinsically to say "protect these resources from Subscription Owners (without also locking out MG Owners)".
As you are already aware that Policy is only evaluated on read and write operations. Locks and RBAC are typically used to prevent users from deleting the resources. For your use case, you can apply locks using Azure Policy.
Reference Articles:
For feature request regarding policy, post it in Microsoft Feedback Forum.