Intermediate

Azure Policy for Agent Guardrails

Azure Policy enforces organizational standards at the ARM layer. By defining policies that deny delete operations, require specific tags, and audit compliance, you create guardrails that AI agents cannot bypass through CLI commands.

How Azure Policy Protects Against AI Agents

Azure Policy evaluates every ARM API request against your policy definitions. When an AI agent runs az group delete, the request goes through ARM, where Policy can intercept and deny it before the operation reaches the resource provider. This is fundamentally different from RBAC — Policy applies rules based on resource properties and operation types, not identity.

💡
RBAC vs Azure Policy: RBAC answers "Does this identity have permission?" while Azure Policy answers "Is this operation allowed by organizational rules?" Both can deny a delete operation, but they work at different layers. Using both together provides defense in depth.

Built-in Policies for Resource Protection

Built-in Policy Effect Agent Protection Value
Allowed resource types Deny creation of unapproved resource types Prevents agents from creating expensive or dangerous resource types
Not allowed resource types Block specific resource types Block resources that should never exist in production subscriptions
Require tag on resources Deny resources without required tags Forces agents to tag resources, enabling audit and identification
Allowed locations Restrict resource deployment regions Prevents agents from deploying resources in unexpected regions
Assigning a built-in policy via Azure CLI
# Assign the "Require a tag on resources" built-in policy
az policy assignment create \
  --name "require-environment-tag" \
  --display-name "Require environment tag on all resources" \
  --policy "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b466-ef6698e5be45" \
  --params '{"tagName": {"value": "environment"}}' \
  --scope "/subscriptions/YOUR-SUBSCRIPTION-ID" \
  --enforcement-mode Default

Custom Policy: Deny Delete Operations

The most impactful policy for AI agent safety is one that denies all delete operations on critical resources. Here is a custom policy definition:

deny-delete-operations.json - Custom policy to block deletions
{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "in": [
            "Microsoft.Compute/virtualMachines",
            "Microsoft.Sql/servers",
            "Microsoft.Sql/servers/databases",
            "Microsoft.Storage/storageAccounts",
            "Microsoft.ContainerService/managedClusters",
            "Microsoft.KeyVault/vaults",
            "Microsoft.Network/virtualNetworks",
            "Microsoft.DBforPostgreSQL/flexibleServers",
            "Microsoft.DocumentDB/databaseAccounts"
          ]
        }
      ]
    },
    "then": {
      "effect": "DenyAction",
      "details": {
        "actionNames": [
          "delete"
        ]
      }
    }
  },
  "parameters": {}
}
Creating and assigning the custom deny-delete policy
# Create the custom policy definition
az policy definition create \
  --name "deny-delete-critical-resources" \
  --display-name "Deny deletion of critical Azure resources" \
  --description "Prevents deletion of VMs, SQL, storage, AKS, Key Vault, VNets, PostgreSQL, and Cosmos DB" \
  --rules @deny-delete-operations.json \
  --mode All

# Assign the policy at subscription scope
az policy assignment create \
  --name "deny-delete-prod" \
  --display-name "Deny deletion of critical resources in production" \
  --policy "deny-delete-critical-resources" \
  --scope "/subscriptions/YOUR-PROD-SUBSCRIPTION-ID" \
  --enforcement-mode Default

Policy That Requires Tags Before Deletion

A more nuanced approach allows deletion only when a resource has a specific "approved-for-deletion" tag. This creates a two-step process: a human must first tag the resource, then the agent can delete it.

require-tag-for-deletion.json - Deny delete unless tagged
{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "tags['approved-for-deletion']",
          "notEquals": "true"
        },
        {
          "field": "type",
          "in": [
            "Microsoft.Compute/virtualMachines",
            "Microsoft.Sql/servers/databases",
            "Microsoft.Storage/storageAccounts",
            "Microsoft.ContainerService/managedClusters"
          ]
        }
      ]
    },
    "then": {
      "effect": "DenyAction",
      "details": {
        "actionNames": [
          "delete"
        ]
      }
    }
  },
  "parameters": {}
}
Workflow: When a resource genuinely needs to be deleted: (1) A human reviews the request, (2) The human adds the approved-for-deletion: true tag via the Azure Portal or CLI, (3) The deletion operation (by agent or human) is now allowed by policy, (4) After deletion, audit logs show both the tagging event and the delete event for full traceability.

Policy Initiatives (Bundles) for AI Agent Safety

A policy initiative groups multiple policy definitions into a single assignment. This simplifies management and ensures all AI agent guardrails are applied together:

ai-agent-safety-initiative.json
{
  "properties": {
    "displayName": "AI Agent Safety Guardrails",
    "description": "Collection of policies to prevent AI agents from performing destructive operations",
    "policyDefinitions": [
      {
        "policyDefinitionId": "/subscriptions/SUB-ID/providers/Microsoft.Authorization/policyDefinitions/deny-delete-critical-resources",
        "parameters": {}
      },
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b466-ef6698e5be45",
        "parameters": {
          "tagName": { "value": "managed-by" }
        }
      },
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988",
        "parameters": {
          "listOfAllowedLocations": {
            "value": ["eastus", "eastus2", "westus2", "centralus"]
          }
        }
      }
    ]
  }
}
Creating and assigning the initiative
# Create the policy initiative (policy set)
az policy set-definition create \
  --name "ai-agent-safety-initiative" \
  --display-name "AI Agent Safety Guardrails" \
  --definitions @ai-agent-safety-initiative.json

# Assign the initiative at management group scope
az policy assignment create \
  --name "ai-agent-safety" \
  --display-name "AI Agent Safety Guardrails" \
  --policy-set-definition "ai-agent-safety-initiative" \
  --scope "/providers/Microsoft.Management/managementGroups/YOUR-MG-ID"

Policy Exemptions for Authorized Deletions

When legitimate deletion is needed, create a time-limited policy exemption rather than disabling the policy entirely:

Creating a time-limited policy exemption
# Create an exemption for a specific resource group
az policy exemption create \
  --name "cleanup-deprecated-dev-resources" \
  --policy-assignment "deny-delete-prod" \
  --exemption-category "Waiver" \
  --scope "/subscriptions/SUB-ID/resourceGroups/rg-deprecated-dev" \
  --description "Approved cleanup of deprecated dev resources - ticket INFRA-4521" \
  --expires-on "2026-03-21T00:00:00Z"

# The exemption automatically expires, re-enabling protection

Remediation Tasks

For policies with deployIfNotExists or modify effects, remediation tasks automatically fix non-compliant resources. For AI agent safety, this can automatically add required tags or apply configurations:

Creating a remediation task
# Trigger remediation for non-compliant resources
az policy remediation create \
  --name "add-managed-by-tag" \
  --policy-assignment "require-managed-by-tag" \
  --resource-group "rg-production"

# Check remediation status
az policy remediation show \
  --name "add-managed-by-tag" \
  --resource-group "rg-production" \
  --query "{status:provisioningState, deployed:deploymentSummary}"

Policy Compliance Monitoring

Monitor your policy compliance state to ensure all AI agent guardrails are active and effective:

Checking policy compliance
# View overall compliance state
az policy state summarize \
  --filter "policySetDefinitionName eq 'ai-agent-safety-initiative'"

# List non-compliant resources
az policy state list \
  --filter "complianceState eq 'NonCompliant' and policySetDefinitionName eq 'ai-agent-safety-initiative'" \
  --query "[].{resource:resourceId, policy:policyDefinitionName, state:complianceState}" \
  --output table

# PowerShell: Get detailed compliance report
Get-AzPolicyState `
  -Filter "ComplianceState eq 'NonCompliant'" `
  -PolicySetDefinitionName "ai-agent-safety-initiative" |
  Select-Object ResourceId, PolicyDefinitionName, ComplianceState |
  Format-Table -AutoSize
Compliance Lag: Azure Policy compliance evaluation runs on a schedule (approximately every 24 hours for existing resources). New or modified resources are evaluated within 15 minutes. You can trigger an on-demand evaluation scan using az policy state trigger-scan, but be aware that large subscriptions may take several minutes to complete.