Azure policy - how to apply a policy on specific resources

Question

Azure policy - how to apply a policy on specific resources

MarcVanderhaegen 306

Hello,

I would like to test the new CIS Security Benchmarks for Windows Server by deploying the policy but only on a few resources. (arc onboarded machines)
How is this possible ?
In the Basics of the policy assignment, you can choose the scope but you can only select a susbcription and a resource group, you can not select specific resources.
On the contrary, in the Exclusions, you can go down from subscription to specific resources.

So what I try is selecting my resource group and in the exclusion selecting on all the resources from the resource group except my few test machines.

Unfortunately this doesn't work; when selecting Review+Create I get an error message 'The request contant could not be read. Internal Error : request body too large'
I am sure it come from the fact that I have 16836 resources in the exclusions.
Here is a screenshot :
User's image

But even if it was working i would be the right way to do it because if a new resource was added to the resource group it would automatically get the policy as it wouldn't have been added to the exclusions.

So what is the best way to achieve this ?

Thanks for your help

Marc

Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-06-02T07:44:04.4833333+00:00

Hello MarcVanderhaegen, thank you for posting your query on Microsoft Q&A platform.

We are looking into your issue and will keep you posted updates. Thanks
MarcVanderhaegen 306 Reputation points

2026-06-02T09:12:37.7533333+00:00

Thank you.
Just to let you know that changing the specific devices from resource group is not an option for us as it would be too complicated to adapt all our processes in place to manage devices in multiple resource groups.
MarcVanderhaegen 306 Reputation points

2026-06-02T10:24:30.7766667+00:00

Hello,
I have found a workaround to my problem.
By going on each machine individually it is possible to assign a policy and at this moment the scope is directly the resource.
For example, I went in Arc and selected a machine, went to Operations - Policy and then I was able to apply the CIS benchmark only to this machine.

It is not the way I was looking for but for now it is ok.
Isn't it possible for Microsoft to offer the same possibilites as in Azure Update Manager ? In Azure Update Manager you have the option to choose dynamic scopes and/or select direct resources. That would be a nice addon.

Marc
MarcVanderhaegen 306 Reputation points

2026-06-02T14:07:07.0266667+00:00

Hello @Bharath Y P
Thanks for your answer, i will submit a feedback for this as you suggested.
I will also create another post about this because even if I was able to deploy the policy to a single machine, it doesn't seem to be applied correctly and I don't get any result.
Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-06-03T01:30:49.8133333+00:00

Hello MarcVanderhaegen, Thanks for the update, Hope the information shared was helpful. If so, please consider accepting the answer and upvoting. Feel free to reach out if you need any further assistance. Thank you.

Answer accepted by question author

0 additional answers

Your answer

Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-06-02T07:44:04.4833333+00:00

Hello MarcVanderhaegen, thank you for posting your query on Microsoft Q&A platform.

We are looking into your issue and will keep you posted updates. Thanks
MarcVanderhaegen 306 Reputation points

2026-06-02T09:12:37.7533333+00:00

Thank you.
Just to let you know that changing the specific devices from resource group is not an option for us as it would be too complicated to adapt all our processes in place to manage devices in multiple resource groups.
MarcVanderhaegen 306 Reputation points

2026-06-02T10:24:30.7766667+00:00

Hello,
I have found a workaround to my problem.
By going on each machine individually it is possible to assign a policy and at this moment the scope is directly the resource.
For example, I went in Arc and selected a machine, went to Operations - Policy and then I was able to apply the CIS benchmark only to this machine.

It is not the way I was looking for but for now it is ok.
Isn't it possible for Microsoft to offer the same possibilites as in Azure Update Manager ? In Azure Update Manager you have the option to choose dynamic scopes and/or select direct resources. That would be a nice addon.

Marc
MarcVanderhaegen 306 Reputation points

2026-06-02T14:07:07.0266667+00:00

Hello @Bharath Y P
Thanks for your answer, i will submit a feedback for this as you suggested.
I will also create another post about this because even if I was able to deploy the policy to a single machine, it doesn't seem to be applied correctly and I don't get any result.
Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-06-03T01:30:49.8133333+00:00

Hello MarcVanderhaegen, Thanks for the update, Hope the information shared was helpful. If so, please consider accepting the answer and upvoting. Feel free to reach out if you need any further assistance. Thank you.

Answer 1

Hello MarcVanderhaegen, thank you for your update, Currently, Azure Policy doesn’t support dynamic scoping similar to Azure Update Manager. Policy assignments are based on a static scope model (management group, subscription, resource group, or resource), and dynamic grouping of resources based on filters like tags isn’t supported at assignment time.Azure Update Manager uses a different approach, where scopes can be dynamically evaluated at runtime based on defined criteria, which provides more flexibility for operational tasks such as patching.

Currently, this capability is not available in Azure Policy. Policy assignments are based on a static scope model (management group, subscription, resource group, or individual resource), and dynamic scoping similar to Azure Update Manager is not supported today.

However, your feedback is valid and aligns with a known feature gap, and similar enhancements are being tracked internally.

In the meantime, we encourage you to share this requirement directly with the product team through the Azure Feedback Portal. Your input helps drive product improvements and prioritize new features. You can submit your feedback here: Azure Feedback Portal

Thank you for taking the time to provide this valuable suggestion.

Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-06-05T08:37:20.3633333+00:00

Hello MarcVanderhaegen, If the information shared was helpful. If so, please consider accepting the answer and giving it an upvote. this will help other community member.

If you have any further questions or need additional clarification, feel free to reach out. Thanks!

Share via

Azure policy - how to apply a policy on specific resources

0 additional answers

Your answer