WEBVTT 0:00:03.260000 --> 0:00:08.160000 In this video, we're going to take a look at how we can apply policies 0:00:08.160000 --> 0:00:10.440000 and initiatives. 0:00:10.440000 --> 0:00:16.040000 So this would be a very practical video. 0:00:16.040000 --> 0:00:17.840000 That's what this is, a video. 0:00:17.840000 --> 0:00:19.380000 And what we're going to do, two things. 0:00:19.380000 --> 0:00:22.840000 I'm going to demonstrate creating a custom policy and what all goes into 0:00:22.840000 --> 0:00:28.680000 that. And then I'll also demonstrate applying a custom initiative. 0:00:28.680000 --> 0:00:36.300000 Let's go ahead and jump right in and let's get started by looking at policy. 0:00:36.300000 --> 0:00:43.860000 And I've got a number of script elements here that we're going to look 0:00:43.860000 --> 0:00:47.280000 around. These are just PowerShell script components. 0:00:47.280000 --> 0:00:51.380000 The first thing that I want to do is take a look at the existing policies. 0:00:51.380000 --> 0:00:57.520000 So I've got just the get AZ policy definition. 0:00:57.520000 --> 0:01:01.740000 And not surprisingly, there are a whole lot of policy definitions. 0:01:01.740000 --> 0:01:05.460000 Now, the one thing that's a little bit challenging with policy definitions, 0:01:05.460000 --> 0:01:13.440000 with the built-in policy definitions, is that the names by and large are 0:01:13.440000 --> 0:01:19.260000 all GUIs. It can be a little bit tricky trying to find one that is not. 0:01:19.260000 --> 0:01:25.020000 And here I happen to have one that I forgot to delete that's going to 0:01:25.020000 --> 0:01:27.380000 look very familiar in just a moment. 0:01:27.380000 --> 0:01:32.540000 In any case, by and large though, you have these names here that are really 0:01:32.540000 --> 0:01:35.000000 pretty much inscrutable. 0:01:35.000000 --> 0:01:36.380000 But you do have properties. 0:01:36.380000 --> 0:01:41.200000 And so usually if I'm looking for a particular policy that I know is a 0:01:41.200000 --> 0:01:45.040000 built-in policy, I'll actually filter based on the properties. 0:01:45.040000 --> 0:01:52.000000 So in this case, I'm looking for any that have the property of SKU. 0:01:52.000000 --> 0:01:54.840000 There should be two of these. 0:01:54.840000 --> 0:01:58.520000 So out of the way for a moment. 0:01:58.520000 --> 0:02:01.500000 And I've got two different policies here. 0:02:01.500000 --> 0:02:06.400000 And if I read in this first one is a set of storage accounts, I'm going 0:02:06.400000 --> 0:02:08.960000 to use the second one, a allowed virtual machine SKUs. 0:02:08.960000 --> 0:02:12.860000 Maybe that's what I want to look at as the basis of something I'm doing, 0:02:12.860000 --> 0:02:17.860000 is a policy that has a virtual machine SKUs. 0:02:17.860000 --> 0:02:23.100000 And so I've got a line here that just returns that one policy. 0:02:23.100000 --> 0:02:27.060000 And I will tell you can be a little bit tricky to get the information 0:02:27.060000 --> 0:02:29.320000 out of the built-in policies. 0:02:29.320000 --> 0:02:33.600000 This is probably a little bit easier to do in the portal. 0:02:33.600000 --> 0:02:36.560000 But it's not this open and I'm not going to go too far out. 0:02:36.560000 --> 0:02:42.100000 I've got my definition and then I can go to the properties of my definition. 0:02:42.100000 --> 0:02:47.160000 And then within the properties of my definition, I go to the policy rule. 0:02:47.160000 --> 0:02:50.300000 And if I wanted to see that, that's my policy rule. 0:02:50.300000 --> 0:02:52.260000 I see the if I see the then. 0:02:52.260000 --> 0:02:56.580000 Let's say I wanted to be a little bit more specific. 0:02:56.580000 --> 0:03:01.500000 I could have an if, let's say I have an all of. 0:03:01.500000 --> 0:03:04.880000 And then within the all of. 0:03:04.880000 --> 0:03:11.780000 Well, let's just see what we have in the all of. 0:03:11.780000 --> 0:03:15.060000 So I have the type. 0:03:15.060000 --> 0:03:19.800000 But if I want to. 0:03:19.800000 --> 0:03:21.100000 So I've got the type. 0:03:21.100000 --> 0:03:28.060000 The field type field equals virtual machines and not the SKU is in a list 0:03:28.060000 --> 0:03:33.680000 of parameters. So this is a parameterized policy definition. 0:03:33.680000 --> 0:03:38.460000 And frankly, if I was attempting to define a policy that way, it would 0:03:38.460000 --> 0:03:40.580000 be really tricky. 0:03:40.580000 --> 0:03:44.000000 Now, what I want to do is take a look at another concept. 0:03:44.000000 --> 0:03:48.700000 I have a resource group I used in another video for role based access 0:03:48.700000 --> 0:03:53.680000 control. And this just has a website or a web app. 0:03:53.680000 --> 0:03:58.340000 It's got an app service plan and it also has some sort of application 0:03:58.340000 --> 0:04:03.640000 insights. And I'm going to go ahead and just take a look at the resource 0:04:03.640000 --> 0:04:08.100000 types that have been created in this resource group. 0:04:08.100000 --> 0:04:10.840000 And I will tell you, this is actually the approach I typically will take 0:04:10.840000 --> 0:04:13.180000 if I'm defining my own. 0:04:13.180000 --> 0:04:18.180000 My own policies is I'll typically create a resource group that has the 0:04:18.180000 --> 0:04:21.180000 resources that I want and nothing else. 0:04:21.180000 --> 0:04:26.360000 And then run essentially this statement to see what the resources are 0:04:26.360000 --> 0:04:29.940000 because oftentimes there may be resources that I wasn't expecting. 0:04:29.940000 --> 0:04:32.880000 For example, this has auto scale. 0:04:32.880000 --> 0:04:35.800000 So I have these different Microsoft that insights including Microsoft 0:04:35.800000 --> 0:04:38.040000 that insights slash auto scale settings. 0:04:38.040000 --> 0:04:42.960000 So if I wanted someone to be able to just create web apps but also to 0:04:42.960000 --> 0:04:47.560000 be able to auto scale them, I wouldn't be able to just give them a policy 0:04:47.560000 --> 0:04:51.740000 that allowed creation server farms and allowed creation of websites. 0:04:51.740000 --> 0:04:56.060000 I would also have to give them the ability to create auto scale. 0:04:56.060000 --> 0:04:58.480000 Now, I can also go through and find things. 0:04:58.480000 --> 0:05:04.200000 For example, if I'm looking at compute, I can find all the different resource 0:05:04.200000 --> 0:05:07.680000 types that are under micshov.com. 0:05:07.680000 --> 0:05:10.020000 So here's just a list. 0:05:10.020000 --> 0:05:13.880000 So not just virtual machines but a wide range, particularly for example, 0:05:13.880000 --> 0:05:17.640000 if you're using virtual machine scale sets or extensions. 0:05:17.640000 --> 0:05:22.060000 So you have to be ready to be very granular if you're creating policies. 0:05:22.060000 --> 0:05:28.100000 Here's another example, all the different resources associated with networks. 0:05:28.100000 --> 0:05:31.440000 And the point here being that not to show you, okay, here's a bunch of 0:05:31.440000 --> 0:05:34.000000 pre-canned PowerShell scripts. 0:05:34.000000 --> 0:05:38.600000 But the idea being that when you're defining policy, to an extent, are 0:05:38.600000 --> 0:05:41.980000 back as well, you want to make sure that you're encompassing everything 0:05:41.980000 --> 0:05:43.840000 that you actually need. 0:05:43.840000 --> 0:05:47.500000 And that's why, as I said, line 14 here, that's usually the approach I'll 0:05:47.500000 --> 0:05:52.020000 take. Do it manually, then go in and cheat, go through the back door and 0:05:52.020000 --> 0:05:53.260000 see what you have. 0:05:53.260000 --> 0:06:02.920000 Now, let's say that I wanted to create a policy that restricted the SKUs 0:06:02.920000 --> 0:06:04.220000 that you could use. 0:06:04.220000 --> 0:06:09.580000 To just standard DSV3 series SKUs. 0:06:09.580000 --> 0:06:13.200000 The first thing I would need to know is what are those SKUs. 0:06:13.200000 --> 0:06:17.660000 And here I've got a Git-AZVM size. 0:06:17.660000 --> 0:06:22.740000 And I'm selecting the name, I'm sorting the name, and then I'm pulling 0:06:22.740000 --> 0:06:24.560000 it down to just the standard. 0:06:24.560000 --> 0:06:32.680000 So you can see the different SKUs that are available with the DSV3 series. 0:06:32.680000 --> 0:06:38.740000 And let's say that I wanted to create a policy that limited to just a 0:06:38.740000 --> 0:06:39.800000 subset of these. 0:06:39.800000 --> 0:06:43.260000 Well, as it so happens, I have such a policy. 0:06:43.260000 --> 0:06:46.020000 Here is a policy. 0:06:46.020000 --> 0:06:50.440000 Now, in some cases, you're going to want to consider whether you want 0:06:50.440000 --> 0:06:56.280000 to use this policy or use built-in policies, not this policy, but create 0:06:56.280000 --> 0:07:00.840000 your own policy, or use built-in policies, and in particular use initiatives. 0:07:00.840000 --> 0:07:03.440000 I'm going to kind of show you both approaches. 0:07:03.440000 --> 0:07:05.320000 In this case, I'm creating a policy. 0:07:05.320000 --> 0:07:08.320000 And what this policy does is it limits two things. 0:07:08.320000 --> 0:07:15.840000 First, I'm going to limit the types of resources that can be created wherever 0:07:15.840000 --> 0:07:18.060000 this policy is applied. 0:07:18.060000 --> 0:07:21.560000 So this is going to allow the creation of virtual machines, and disks, 0:07:21.560000 --> 0:07:25.520000 and virtual networks, and public IPs, and network interfaces, and network 0:07:25.520000 --> 0:07:26.140000 security groups. 0:07:26.140000 --> 0:07:30.880000 And these are typically the components necessary for a virtual machine 0:07:30.880000 --> 0:07:34.420000 to thrive. They don't all have to be in the resource group, but this has 0:07:34.420000 --> 0:07:36.560000 been created relatively easily. 0:07:36.560000 --> 0:07:43.040000 But then in addition to that, I also have this all of that says, if the 0:07:43.040000 --> 0:07:47.480000 type is virtual machines and the SKU name field of the virtual machine 0:07:47.480000 --> 0:07:56.340000 is not in D2S, D4S, or just D2V3, then the type of virtual machine. 0:07:56.340000 --> 0:07:57.920000 And the effect is deny. 0:07:57.920000 --> 0:08:00.660000 I'm going to go back up to this syntax. 0:08:00.660000 --> 0:08:04.600000 I will tell you that this syntax, when you first start working with it, 0:08:04.600000 --> 0:08:08.080000 can be a little bit confusing. 0:08:08.080000 --> 0:08:12.420000 I have this if, I'm going to have one if, and then I can have this any 0:08:12.420000 --> 0:08:18.300000 of, and any of is like an in statement, if you're familiar with that. 0:08:18.300000 --> 0:08:21.600000 So if any of these things are true, then it's going to have the effect, 0:08:21.600000 --> 0:08:23.340000 which in this case is deny. 0:08:23.340000 --> 0:08:30.120000 And so the any of the first thing is a not, and that not is a type check. 0:08:30.120000 --> 0:08:34.760000 And so I have this hierarchy because that's what you do with JSON. 0:08:34.760000 --> 0:08:37.220000 And then down here, I have an all of. 0:08:37.220000 --> 0:08:43.520000 So this would be true if the type is virtual machines and the SKU is not 0:08:43.520000 --> 0:08:48.500000 in that list. So it can be a little bit clumsy at first until you get 0:08:48.500000 --> 0:08:49.260000 used to the logic. 0:08:49.260000 --> 0:08:52.860000 And of course, you may also not want to get used to the logic and simply 0:08:52.860000 --> 0:08:56.580000 use built in policies and possibly initiatives. 0:08:56.580000 --> 0:09:00.120000 In any case, let's take a look at this. 0:09:00.120000 --> 0:09:01.900000 Now, I already created VM policy. 0:09:01.900000 --> 0:09:05.760000 So just so you can see it works, I'll create VM policy two. 0:09:05.760000 --> 0:09:09.920000 And this is a, you can see the name of the policy I'm going to create, 0:09:09.920000 --> 0:09:11.680000 new AZ policy definition. 0:09:11.680000 --> 0:09:16.360000 Name VM policy two, display name, not important description, not important. 0:09:16.360000 --> 0:09:22.680000 Mode all. That means that it's going to apply whether something has been 0:09:22.680000 --> 0:09:26.500000 indexed or not. So whether it's standardized or not. 0:09:26.500000 --> 0:09:29.860000 And then the policy is that custom policy. 0:09:29.860000 --> 0:09:37.000000 And I go ahead and I run that and my policy is created. 0:09:37.000000 --> 0:09:44.240000 And then if I want to see that it actually came to fruition. 0:09:44.240000 --> 0:09:53.180000 Oops, name. Oh, that's because I actually put it into an object. 0:09:53.180000 --> 0:09:54.800000 There's my object. 0:09:54.800000 --> 0:09:57.100000 All right. So I'm now created a policy. 0:09:57.100000 --> 0:10:05.480000 Let's take a look at applying policies and also defining initiatives. 0:10:05.480000 --> 0:10:08.400000 Here I have the policy blade. 0:10:08.400000 --> 0:10:10.980000 So this is a blade where I can track all my policies. 0:10:10.980000 --> 0:10:12.420000 And it's pretty simple. 0:10:12.420000 --> 0:10:14.540000 I've got policy assignments and definitions. 0:10:14.540000 --> 0:10:17.880000 I can go down here to definitions. 0:10:17.880000 --> 0:10:21.740000 And these are all of my policy definitions. 0:10:21.740000 --> 0:10:24.940000 And I can have this across different scopes. 0:10:24.940000 --> 0:10:29.780000 All right. Here are the different subscriptions that I've got. 0:10:29.780000 --> 0:10:31.380000 I can even go to management groups right now. 0:10:31.380000 --> 0:10:33.940000 I've got all of my subscriptions. 0:10:33.940000 --> 0:10:36.860000 So that's really from anywhere. 0:10:36.860000 --> 0:10:39.880000 And definition type, policies and initiatives. 0:10:39.880000 --> 0:10:42.660000 Also custom or built in. 0:10:42.660000 --> 0:10:45.560000 So let's say I choose custom. 0:10:45.560000 --> 0:10:49.040000 And there are my custom object. 0:10:49.040000 --> 0:10:52.880000 You can see I've created two basic hand policies. 0:10:52.880000 --> 0:10:55.580000 As well as a custom initiative. 0:10:55.580000 --> 0:10:58.840000 And I can create additional initiatives and additional policies right 0:10:58.840000 --> 0:11:00.000000 through this interface. 0:11:00.000000 --> 0:11:04.160000 And I'm actually going to create an initiative that does something very 0:11:04.160000 --> 0:11:09.720000 similar to the custom policy that I created. 0:11:09.720000 --> 0:11:13.820000 But in this case, I'm going to just use built in policies. 0:11:13.820000 --> 0:11:15.740000 And I'm going to create a definition. 0:11:15.740000 --> 0:11:22.620000 This is going to be VM restrictions. 0:11:22.620000 --> 0:11:26.900000 If I can actually, oh, definition location, that's useful. 0:11:26.900000 --> 0:11:29.600000 Where am I going to put this definition? 0:11:29.600000 --> 0:11:33.040000 I can actually put this at the highest level within a management group. 0:11:33.040000 --> 0:11:36.460000 Or I can put this in a specific subscription, which is what I'm going 0:11:36.460000 --> 0:11:41.100000 to do. Then I'm going to give it a name clicking on the right place. 0:11:41.100000 --> 0:11:44.740000 VM. Restrictive. 0:11:44.740000 --> 0:11:51.180000 Initiative. And. 0:11:51.180000 --> 0:11:57.920000 Restrict VM creation. 0:11:57.920000 --> 0:12:00.100000 And then I've got a category. 0:12:00.100000 --> 0:12:01.840000 I can create a new category. 0:12:01.840000 --> 0:12:05.360000 These are just categories are just for organizing it. 0:12:05.360000 --> 0:12:09.880000 So do I have? You don't have anything that I want there. 0:12:09.880000 --> 0:12:11.460000 So we'll create a new one. 0:12:11.460000 --> 0:12:16.980000 Let's go with. I need. 0:12:16.980000 --> 0:12:24.720000 Policies. Now, I am going to build my initiative. 0:12:24.720000 --> 0:12:29.000000 And again, initiative is simply a group of policies. 0:12:29.000000 --> 0:12:33.380000 So let's say, for example, I do a search for VMs. 0:12:33.380000 --> 0:12:35.700000 There's way too many VMs. 0:12:35.700000 --> 0:12:37.920000 So let's go and do a search for SKU. 0:12:37.920000 --> 0:12:42.020000 Remember that I had that search before where I look for SKUs? 0:12:42.020000 --> 0:12:45.100000 Well, here is a loud virtual machine SKU. 0:12:45.100000 --> 0:12:47.600000 So I'm going to add that in. 0:12:47.600000 --> 0:12:54.180000 And then I also, if I can get it just off a type, there we go. 0:12:54.180000 --> 0:12:57.340000 A loud resource types. 0:12:57.340000 --> 0:12:59.160000 I'm going to put that in. 0:12:59.160000 --> 0:13:04.100000 So now I have this initiative that's going to allow me to apply two policies. 0:13:04.100000 --> 0:13:08.000000 One is going to let me restrict the virtual machine SKUs and the other 0:13:08.000000 --> 0:13:12.100000 is going to allow me to restrict the actual types. 0:13:12.100000 --> 0:13:15.960000 And the way this works is that each one of these has parameters. 0:13:15.960000 --> 0:13:19.980000 Not all policies have parameters, but if I have an initiative and that 0:13:19.980000 --> 0:13:23.960000 initiative is using policies that have parameters, I have to define the 0:13:23.960000 --> 0:13:26.660000 way I want to deal with the parameters. 0:13:26.660000 --> 0:13:31.740000 So for example, for the allowed SKUs, I can either set the value manually 0:13:31.740000 --> 0:13:37.980000 here, or when somebody applies a policy, I will let the value be set there. 0:13:37.980000 --> 0:13:46.520000 But I'm going to go ahead for the SKUs, and I'm going to select some SKUs. 0:13:46.520000 --> 0:13:58.560000 The relatively, I did D2S, or D2V3, do 2SV3, and I think I did D4. 0:13:58.560000 --> 0:14:00.940000 Not that it matters. 0:14:00.940000 --> 0:14:03.360000 D4SV3. All right. 0:14:03.360000 --> 0:14:08.000000 So this initiative would allow those three SKUs sizes. 0:14:08.000000 --> 0:14:16.400000 And then the resource types can use initiative parameter or set the value. 0:14:16.400000 --> 0:14:19.700000 I'm going to use an initiative parameter, and this is going to generate 0:14:19.700000 --> 0:14:21.120000 a custom parameter. 0:14:21.120000 --> 0:14:24.300000 That's a terrible name, but I'm going to allow it. 0:14:24.300000 --> 0:14:28.860000 And then I want to save. 0:14:28.860000 --> 0:14:33.860000 So I now have this VM-restrictive initiative. 0:14:33.860000 --> 0:14:35.580000 And I want to apply this. 0:14:35.580000 --> 0:14:39.700000 I'm going to go to a resource group, and there's a couple different ways 0:14:39.700000 --> 0:14:40.660000 you can apply this. 0:14:40.660000 --> 0:14:49.300000 And I'm going to go to policy, and I'm going to go to policies under policy. 0:14:49.300000 --> 0:14:52.480000 And here are the policies. 0:14:52.480000 --> 0:14:54.660000 There's actually a default policy. 0:14:54.660000 --> 0:14:58.080000 This is a security policy that is applied. 0:14:58.080000 --> 0:15:01.000000 And I can assign a policy or an initiative. 0:15:01.000000 --> 0:15:04.900000 I'm going to go ahead and assign that initiative that I created. 0:15:04.900000 --> 0:15:09.780000 So the scope, where am I applying an initiative, in this case I'm applying 0:15:09.780000 --> 0:15:15.780000 it to the resource group, I'm not going to define any exclusions. 0:15:15.780000 --> 0:15:20.200000 But I do want to define or select my initiative. 0:15:20.200000 --> 0:15:28.600000 And I want custom, and there's my VM-restrictive initiative. 0:15:28.600000 --> 0:15:30.060000 And it gives it a name. 0:15:30.060000 --> 0:15:32.700000 I should give it a description, but I'm not going to. 0:15:32.700000 --> 0:15:40.340000 And then because I allowed the parameter type, or the resource type to 0:15:40.340000 --> 0:15:46.000000 be a parameter in the initiative, there we go. 0:15:46.000000 --> 0:15:46.900000 Just took a little bit. 0:15:46.900000 --> 0:15:48.520000 I was a little concerned there. 0:15:48.520000 --> 0:15:57.720000 I have the ability then to, of course, select which ones I want. 0:15:57.720000 --> 0:16:09.060000 And way up to Microsoft Compute. 0:16:09.060000 --> 0:16:14.980000 There we go. And all the things under Compute I might want, such as virtual 0:16:14.980000 --> 0:16:20.400000 machines. And disks. 0:16:20.400000 --> 0:16:24.540000 And then possibly things like under Microsoft Network. 0:16:24.540000 --> 0:16:30.760000 It's going to be a bit challenging. 0:16:30.760000 --> 0:16:33.280000 There's so many things. 0:16:33.280000 --> 0:16:35.980000 I would have to pick what I want here. 0:16:35.980000 --> 0:16:41.580000 So, for example, things like virtual network somewhere around here. 0:16:41.580000 --> 0:16:42.500000 Public IP address. 0:16:42.500000 --> 0:16:47.360000 I want that network interface. 0:16:47.360000 --> 0:16:54.300000 And I want a virtual network. 0:16:54.300000 --> 0:16:58.240000 OK, that should do it. 0:16:58.240000 --> 0:17:03.040000 All right. And go ahead and assign. 0:17:03.040000 --> 0:17:07.760000 All right. So now have this policy. 0:17:07.760000 --> 0:17:14.740000 If I then, let's say that I don't want the policy I want to go back to 0:17:14.740000 --> 0:17:16.560000 the resource group. 0:17:16.560000 --> 0:17:27.280000 And if I try to add, let's say storage account doesn't show up there. 0:17:27.280000 --> 0:17:38.580000 Let's say a storage account. 0:17:38.580000 --> 0:17:42.420000 It took more effort to find the storage account than to actually set up 0:17:42.420000 --> 0:17:50.060000 the policy. And we will just do this really quickly. 0:17:50.060000 --> 0:17:55.560000 Should be unique enough. 0:17:55.560000 --> 0:18:04.000000 You can create. And I'm going to try to create this. 0:18:04.000000 --> 0:18:07.360000 And it should fail. 0:18:07.360000 --> 0:18:13.100000 And there we go. 0:18:13.100000 --> 0:18:18.020000 Deployment failed because it violated my policy. 0:18:18.020000 --> 0:18:24.960000 On the other hand, I go back and create a resource. 0:18:24.960000 --> 0:18:28.360000 Let's create an Ubuntu server. 0:18:28.360000 --> 0:18:34.300000 And if I'm very careful with this, I'm going to put it in my policy. 0:18:34.300000 --> 0:18:43.560000 I'm going to give this a virtual machine name of Ubuntu. 0:18:43.560000 --> 0:18:47.780000 West is fine. We'll leave it there. 0:18:47.780000 --> 0:18:50.280000 Availability didn't pick anything. 0:18:50.280000 --> 0:18:51.200000 All right. Ubuntu server. 0:18:51.200000 --> 0:18:53.180000 Now select size. 0:18:53.180000 --> 0:19:06.520000 Set a size. And let's go. 0:19:06.520000 --> 0:19:10.820000 Apparently the west US, west central US. 0:19:10.820000 --> 0:19:15.260000 Okay, this is going to east US and try that again. 0:19:15.260000 --> 0:19:21.180000 Ah, there we go. 0:19:21.180000 --> 0:19:24.040000 Not like virtual machines. 0:19:24.040000 --> 0:19:27.540000 But now I could go in and I could pick a different size. 0:19:27.540000 --> 0:19:30.900000 But if I do, I'm going to ask you to believe me that it would then fail. 0:19:30.900000 --> 0:19:32.680000 But we'll go through this. 0:19:32.680000 --> 0:19:36.640000 And just selecting things that should work. 0:19:36.640000 --> 0:19:54.220000 This password, just because I don't feel like putting in a public key. 0:19:54.220000 --> 0:20:02.800000 All right. And next, let's in case I forget to delete this. 0:20:02.800000 --> 0:20:08.480000 Next, it's going to create a network for me. 0:20:08.480000 --> 0:20:10.620000 And that should be fine. 0:20:10.620000 --> 0:20:12.740000 Now this one's important. 0:20:12.740000 --> 0:20:16.220000 I'm going to go ahead and turn off boot diagnostics because otherwise 0:20:16.220000 --> 0:20:20.360000 it would require a storage account, which I did not allow. 0:20:20.360000 --> 0:20:24.040000 And that really was the reason I wanted to go through this whole thing 0:20:24.040000 --> 0:20:26.500000 is because, you know, again, you have to think you have to be careful 0:20:26.500000 --> 0:20:32.560000 when you're defining which resources you're going to allow by policy and 0:20:32.560000 --> 0:20:36.700000 also conceptually by RBAC as well. 0:20:36.700000 --> 0:20:39.060000 Go ahead and review this. 0:20:39.060000 --> 0:20:40.520000 And it should be good. 0:20:40.520000 --> 0:20:45.720000 And that will create successfully unless I missed another type of resource. 0:20:45.720000 --> 0:20:50.780000 But I'm not going to make you wait for that to complete because the idea 0:20:50.780000 --> 0:20:54.880000 is that you have this ability to restrict. 0:20:54.880000 --> 0:21:00.420000 And you saw certainly that in one case when I tried to create a resource 0:21:00.420000 --> 0:21:02.880000 that was not allowed by policy, it failed. 0:21:02.880000 --> 0:21:06.320000 I'm now actually creating several resources, but I should have set up 0:21:06.320000 --> 0:21:10.020000 the initiative. I should set in the first place initiative because in 0:21:10.020000 --> 0:21:12.980000 this case, remember, I applied it an initiative, which is a combination 0:21:12.980000 --> 0:21:17.880000 of policies. Now, in the demonstration, I created a custom policy and 0:21:17.880000 --> 0:21:22.920000 then separately I created an initiative using built-in policies. 0:21:22.920000 --> 0:21:24.820000 There's no reason I couldn't do both. 0:21:24.820000 --> 0:21:29.300000 Create a custom policy and then use that custom policy in an initiative. 0:21:29.300000 --> 0:21:33.440000 My recommendation is certainly to start out with, look at the built-in 0:21:33.440000 --> 0:21:37.440000 policies and figure out how you want to apply them and they're pretty 0:21:37.440000 --> 0:21:41.680000 modular. So you should be able to take and generate your initiatives, 0:21:41.680000 --> 0:21:46.880000 create custom initiatives that blend the policies and then you can control 0:21:46.880000 --> 0:21:50.400000 how the parameters are going to be set for those initiatives.