Hi,
we are using one Azure policy to enforce several vm SKUs. This worked until now but now there is one user, that needs to deploy one resource with another SKU.
How do you guys deal with exceptions? Is it possible to configure the policy with an if-statement like "if sku is not in allowed skus and user is not in azure ad group, deny"?
Right now the only possible solutions seem to be:
- Exclude resource group from policy assignment
- Assign policy on resource group level with automation job except this resource group
- Exclude a "premium resource group" from assignment, create service there, relocate to users resource group
Best regards,
Hendrik