assignments via policy sets

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Using policy sets to group objects

This week is all about Policy sets in Microsoft Intune. Policy sets are introduced a few months ago and enable administrators to group management objects that need to be identified and assigned as a single object. That can help with simplifying the administration of the environment. A Policy sets can be a group of almost all different object that are available within Microsoft Intune. That includes objects for different platforms within the same Policy sets . This enables an administrator to use Policy sets for a lot of different use case, from creating a standard for a specific user type to creating a standard set of apps for all users. In this post I’ll walk through the configuration steps and through the different steps I’ll describe the available options and challenges. I’ll end this post with some notes about the assignment of a Policy set .

Creating policy sets

Now let’s have a closer looking at Policy sets by walking through the configuration. The following 9 steps walk through the creation of a Policy set and the different options.

• Open the  Microsoft Endpoint Manager admin center  portal and navigate to  Devices  >  Policy sets  to open the  Policy sets  blade
• On the  Policy sets  blade, select Policy sets and click  Create  to open the  Create a policy set  wizard
• On the Basics page, provide the following information (see Figure 1) and click Next: Application management
• Policy set name : Provide a valid name for the Policy set
• Description : (Optional) Provide a description of the Policy set

• On the Application management page, provide the following information (see Figure 2) and click Next: Device management
• Apps : Click Select apps to add apps to the Policy set . That can be an iOS/iPadOS store app , an iOS/iPadOS line-of-business app , a Managed iOS/iPadOS line-of-business app , an Android store app , an Android line-of-business app , a Managed Android line-of-business app , an Office 365 ProPlus Suite (Windows 10) , a Web link , a Built-in iOS/iPadOS app , or a Built-in Android app . That also means that a Windows app (Win32) is currently not supported. After adding an app to the Policy set , the assignment type can also be configured.
• App configuration policies : Click Select app configuration policies to add app configuration policies to the Policy set .
• App protection policies : Click Select app protection policies to add app protection policies to the Policy set . That can be an APP targeted at managed Windows devices , an APP targeted at managed iOS/iPadOSOS devices , an APP targeted at managed Android devices , an APP targeted at unmanaged iOS/iPadOSOS devices , or an APP targeted at unmanaged Android devices . That also means that APP targeted at unmanaged Windows devices are not supported.

• On the Device management page, provide the following information (see Figure 3) and click Next: Device enrollment
• Device configuration policies : Click Select device configuration policies to add device configuration policies to the Policy set .
• Device compliance policies : Click Select device compliance policies to add device compliance policies to the Policy set . Only the Android Enterprise device owner type policies are not available.

• On the Device enrollment page, provide the following information (see Figure 4) and click Next: Scope tags
• Device type restrictions : Click Select device type restrictions to add custom device type restrictions to the Policy set .
• Windows autopilot deployment profiles : Click Select Windows autopilot deployment profiles to add Windows autopilot deployment profiles to the Policy set .
• Enrollment status pages : Click Select enrollment status page profiles to add custom enrollment status page profiles to the Policy set .

• On the Scope tags page, provide the following information (see Figure 5) and click Next: Assignments
• Scope tags : Click Select scope tags to add custom scope tags to the Policy set .

• On the Assignments page, provide the following information (see Figure 6) and click Next: Review + create
• Included groups : Click Select groups to include to include groups to the assignment of the Policy set .
• Excluded groups : Click Select groups to exclude to exclude groups from the assignment of the Policy set

• On the Review + create page, verify the following information and click Create

After going through the configuration of a Policy set it’s good to note that security baselines are not part of a Policy set configuration. The guided scenario Try out a cloud-managed PC also creates a policy set to group the different objects that are created during the guided scenario and that are supported as being a part of the guided scenario. That scenario also creates a security baseline assignment that is not part of the created Policy set . Guided scenarios are available on the Home page of the Microsoft Endpoint Manager admin center.

For automation purposes, it might be better to know how to automate the device type restriction configuration. That can be achieved by using the  policySet  object in the Graph API.

Assignment notes

Let’s end this post with some notes about the assignment of a Policy set . The following should be kept in mind when creating the assignment for the Policy set .

• The different non-Windows app protection policies (APP) do not support an assignment via a Policy set . In that case the group will be added as a direct assignment. Those assignments will not be deleted when the assignment of the Policy set is removed.
• The different APPs do not support an assignment to All users or All devices
• A Windows autopilot deployment profile does not support an assignment to All users
• An Enrollment status page profile does not support the assignment of virtual groups ( All users , All devices or All user & All devices )
• An Device type restriction profile does not support the assignment of virtual groups ( All users , All devices or All user & All devices )

When the assignment of the Policy set is created it will show as a specific assignment with the different objects that are part of the Policy set (as shown in Figure 8).

More information

For more information about using policy sets for managing groups of objects in Microsoft Intune, refer to the documentation about  Use policy sets to group collections of management objects .

6 thoughts on “Using policy sets to group objects”

This is definitely interesting, but needs support for both Win32 applications and powershell scripts to be really useful. Hopefully it’s in the pipeline.

Agree, Pär!

Can you control the order in which policy sets are applied.

Hi Clive, Not to my knowledge. Regards, Peter

Have you come across the issue of Android config policies not showing up when you try to add them to the policy set? When you select to bring up the config policy search box, it only lists windows policies but won’t show any android config policies to select.

Hi Damian, I have to admit that I haven’t looked at policy sets recently, but I just did and I do see the same. You might want to report that with Microsoft. Regards, Peter

Leave a Comment Cancel reply

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

S01E28 - How to Configure Policy Sets in Microsoft Intune - (I.T)

Published: Feb 11, 2020 by Intune.Training

Steve and Adam discuss how to use the new Policy Sets feature in Microsoft Intune to target groups settings/config/policies to devices/users.

• 00:00 - Intro
• 01:17 - Policy sets overview https://docs.microsoft.com/intune/fundamentals/policy-sets
• 05:40 - Creating policy sets
• 12:49 - Assigning policy sets discussion
• 16:38 - Recap

Policy sets known issues https://docs.microsoft.com/intune/fundamentals/policy-sets#policy-sets-known-issues

Latest Posts

• 00:30 - Spencer Shumway introduction https://twitter.com/spencershum
• 03:25 - Reporting in MEM
• 06:40 - Reporting the new way
• 19:36 - Log analytics
• 31:25 - S02E01 - Easily Create Power BI Reports with the Intune Data Warehouse - (I.T) https://youtu.be/2ICPKRBIews
• 31:44 - Paging vs Export
• 36:54 - Deprecating application inventory in datawarehouse https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#intune-data-warehouse-updates https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#export-underlying-discovered-apps-list-data
• 41:07 - Available reports/data today
• 45:52 - Roadmap
• 47:02 - Useful resources Initial reporting blog: https://techcommunity.microsoft.com/t5/intune-customer-success/new-reporting-framework-coming-to-intune/ba-p/1009553 2009 Reporting Blog Update: https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-endpoint-manager-reporting-blog-for-2009-release/ba-p/1685655 2011 Reporting Blog Update: https://techcommunity.microsoft.com/t5/intune-customer-success/introducing-new-policy-reports-amp-more-in-microsoft-endpoint/ba-p/1898027 Getting started with Intune and Log Analytics: https://techcommunity.microsoft.com/t5/device-management-in-microsoft/microsoft-intune-and-azure-log-analytics/ba-p/463145 Intune reporting export API documentation: https://docs.microsoft.com/mem/intune/fundamentals/reports-export-graph-apis Ignite reporting session 2020: https://techcommunity.microsoft.com/t5/video-hub/microsoft-endpoint-manager-reporting-graph-apis-and-log/m-p/1681560 Intune Automated reporting Github: https://github.com/phmehta94/IntuneAutomatedReporting

Sorry about Adam’s keyboard noise and yes, this could be a very short video but we felt like there are people who could use a more in-depth discussion.

• 00:10 - Jóhannes Geir Kristjánsson introduction
• 01:10 - Access on-premises resources from an Azure AD-joined device https://docs.microsoft.com/microsoft-365/business/access-resources
• 02:36 - Windows admins discord http://aka.ms/winadmins
• 04:31 - Migration process
• 06:40 - Blockers
• 10:24 - Lab environment
• 15:50 - Install Azure AD Connect
• 37:57 - Assign licences
• 52:40 - Enable single sign-on
• 1:03:38 - Internal websites and certificates
• 1:09:08 - Wrap up

• 02:12 - S01E07 - Publishing Win32 Applications using Microsoft Intune https://youtu.be/x-RMjhzGXxA
• 02:54 - Win32 Application Supersedence https://docs.microsoft.com/mem/intune/apps/apps-win32-supersedence
• 08:54 - Create a Supersedence relationship in Intune
• 13:13 - Supersedence behavior https://docs.microsoft.com/mem/intune/apps/apps-win32-supersedence#supersedence-behavior
• 14:33 - Supersedence limitations https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-supersedence#supersedence-limitations
• 23:19 - Discussion
• 28:58 - Wrap up

Secure Infrastructure Blog

by the Secure Infrastructure team at Microsoft

Microsoft Endpoint Manager – Intune – Policy Sets & Guided Scenarios

Howdy all! When working through Intune to setup configurations to be deployed to managed devices administrators may need to decide which configurations should be prioritized and applied as a standard across various device types. Historically this is achieved by uniquely assigning each item to respecitive groups and letting Intune deploy the assignments accordingly. In some cases, though, it makes sense to group configurations together and apply them as a unit to help arrive at that minimal required configuration set in a more planned and rational way. Policy Sets help you achieve exactly that. The video linked below walks through Policy Sets and demonstrates their use. The video also introduces Guided Scenarios which are different from Policy Sets but complimentary to Policy Sets.

Share this:

Leave a reply cancel reply, discover more from secure infrastructure blog.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

• Interview Training
• On Job Support
• Become an Trainer

Login/Sign Up

Intune training: exploring policy sets in microsoft intune.

• December 29, 2023
• Posted by: Lara Administrator
• Category: End User Computing

Introduction

Let’s dive deep into the topic of policy sets in Microsoft Intune. Policy sets are a powerful feature that allows you to group and assign different components such as applications, configurations, and deployment processes to specific security groups. By leveraging policy sets, you can simplify your management and ensure that the right policies are applied to the right users or devices. Let’s get started!

Understanding Policy Sets

Policy sets can be thought of as collections of policies that you can assign to specific groups. It’s a convenient way to organize and manage your policies based on different scenarios. For example, you can create policy sets for your front office, back office, contact centre, and executive staff, each with different applications and configurations required.

Accessing Policy Sets in Microsoft Intune

To access policy sets in Microsoft Intune, navigate to the In Tune button in your web browser. Scroll down to find the “Policy Sets” section. If you don’t see it immediately, don’t worry. It may take a moment to load, especially if you’re using the preview version. Once loaded, you can start exploring policy sets and planning your deployments.

Creating a Policy Set

To create a policy set, simply click on the “Create” button at the top of the page. Give your policy set a name that reflects its purpose. For example, you can name it “Windows Scenario” to indicate that it is specific to Windows devices. One of the advantages of policy sets is that they are cross-platform, meaning you can apply them to different types of devices, such as iOS, Mac OS, Windows 10, and Android.

Adding Applications and Configurations to a Policy Set

Once you have created a policy set, you can start adding applications and configurations to it. Using the familiar user interface, you can select the apps and configurations that you want to include in the policy set. You can also specify whether an app or configuration is required, uninstalled, or available. This allows you to fine-tune the policies based on your specific needs.

Managing Device Compliance and Configuration

In addition to applications and configurations, policy sets also allow you to manage device compliance and configuration. You can select the device configuration and compliance policies that you want to include in a policy set. For example, you can include BitLocker, Defender, and other required configurations. By bundling all these policies together, you can easily manage and track their assignments.

Assigning Policy Sets to Groups

One important thing to remember when working with policy sets is to always assign them to specific groups. Avoid assigning policies to all users or devices, as this can lead to unintended consequences. Instead, target your policies at the user or device object level. This allows you to have more control and ensures that the policies are applied where they are needed.

Visibility and Monitoring

Policy sets provide a single pane of view where you can see all the settings assigned to a device or user. This makes it easy to track and monitor the policies that are applied. You can also pop out specific policies for quick access and configuration. It’s a great way to have visibility without having to navigate through each application or configuration individually.

Policy sets in Microsoft Intune are a valuable tool for managing and organizing your policies. With policy sets, you can simplify your management, ensure compliance, and streamline your deployments. By bundling policies together and assigning them to specific groups, you can have more control and visibility over your Intune environment. Start exploring policy sets today and take your Intune training to the next level!

Intune Training Demo

Leave a Reply Cancel reply

What are Intune Policy Sets?

Starting with the Intune release from October 14th 2019, Microsoft made available a new functionality called “Policy Sets”.   Even though there a now (at time of writing this article) still in preview, they are a very welcome addition to the Intune options available.

Added November 29th: Please make sure to also read about Guided scenario’s – a preview feature in Intune which makes it possible to create policy sets based on predefined scenarios – What are Guided Scenarios in Microsoft 365 Device Management/Intune?

Disclaimer: This post is written on Oktober 25th 2019 and reflects the state of this functionality at this point in time.

So what are policy sets?

By creating a policy set, you can group the following features into a set which you can assign to either device or user groups:

• App configuration policies
• App protection policies
• Device configuration profiles
• Device compliance policies
• Device type restrictions
• Windows autopilot deployment profiles
• Enrollment status page

The functionality that policy sets provide is partly available in the Security Baselines Microsoft is providing already. Because in the end, the Microsoft Security Baseline for Windows 10 for example is nothing more than a combination of Device Configuration Profiles.

So how to we create a Policy Set within Intune?

The policy set functionality can be found under Devices in the new setup of the Intune portal. Go to Devices and choose Policy sets (Preview)

You can create a policy set, by clicking on “+ Create” on the Policy sets page, which will start a wizard guiding you to creating your first policy set

Under Application Management you can add the following items:

Under Device Management you can add the following items:

Under Device enrollment you can add the following items:

• Enrollment status pages

Under assignment you can assign the policy set to All users, All devices, All users and all devices or selected groups. You can also specify groups to exclude. Not that you cannot determine if the policy set is available or required, that is determined by the individual setting.

From this point forward you can then create the policy set.

Policy sets are a welcome addition to the Intune functionality. Personally I would like the Security Baselines to be implemented as Policy sets as well, in order to give us more flexibility to work with the baselines. What’s missing from policy sets is the compliance reporting available in the Security baseline information. All of this can change ofcourse since the Policy sets are still in preview.

Before you start working with Policy Sets, please check for the known issues: https://docs.microsoft.com/en-us/intune/fundamentals/policy-sets#policy-sets-known-issues

3 thoughts on “ What are Intune Policy Sets? ”

• Pingback: What are Guided Scenarios in Microsoft 365 Device Management/Intune? | Modern Workplace Blog
• Pingback: Designing and building your Microsoft Endpoint Manager/Intune environment for Operations | Modern Workplace Blog
• Pingback: Updating your Security baselines in Microsoft Endpoint Manager to a newer version | Modern Workplace Blog

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Privacy Overview

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

[Examples] Create Custom Policies Policy Sets and Assignments

This page describes how to deploy your Azure landing zone with custom policy definitions and policy set (Initiative) definitions.

In this example you will use three custom policies and a custom policy set definition. The custom policies will be named Enforce-RG-Tags , Enforce-Resource-Tags and Deny-NIC-NSG . You will then create a custom policy set definition (Initiative) named Enforce-Mandatory-Tags that will include the Enforce-RG-Tags and Enforce-Resource-Tags custom policies.

You will update the built-in configuration by following these steps:

• Create the custom policy definition file for Enforce-RG-Tags
• Create the custom policy definition file for Enforce-Resource-Tags
• Create the custom policy definition file for Deny-NIC-NSG
• Create the custom policy set definition file for Enforce-Mandatory-Tags
• Make the custom policy definitions available for use in Azure by extending the built-in archetype for es_root
• Create the policy assignment files for Enforce-RG-Tags , Enforce-Resource-Tags , Deny-NIC-NSG and Enforce-Mandatory-Tags
• Assign the custom policy set definition for Enforce-Mandatory-Tags at the es_root Management Group by extending the built-in archetype for es_root
• Assign the custom policy definition for Deny-NIC-NSG at the Landing Zones Management Group by extending the built-in archetype for es_landing_zones

IMPORTANT: To allow the declaration of custom or expanded templates, you must create a custom library folder within the root module and include the path to this folder using the library_path variable within the module configuration. In our example, the directory is /lib .

In order to create and assign custom policies, we need to create both a definition file and an assignment file for each custom policy or custom policy set definition. In this example we will do this by using the below files:

lib/policy_definitions/policy_definition_es_enforce_rg_tags.json

Lib/policy_definitions/policy_definition_es_enforce_resource_tags.json, lib/policy_definitions/policy_definition_es_deny_nic_nsg.json, lib/policy_set_definitions/policy_set_definition_enforce_mandatory_tagging.json, lib/policy_assignments/policy_assignment_es_enforce_rg_tags.json, lib/policy_assignments/policy_assignment_es_enforce_resource_tags.json, lib/policy_assignments/policy_assignment_es_deny_nic_nsg.json, lib/policy_assignments/policy_assignment_es_enforce_mandatory_tagging.json.

NOTE: This module provides the ability to define custom template variables used when reading in template files from the built-in and custom library_path. For more info click here .

Create Custom Policy Definition

In your /lib directory create a policy_definitions subdirectory if you don't already have one. You can learn more about archetypes and custom libraries in this article .

NOTE: Creating a policy_definitions subdirectory is a recommendation only. If you prefer not to create one or to call it something else, the custom policies will still work.

In the policy_definitions subdirectory, create a policy_definition_es_policy_enforce_rg_tags.json file. This file will contain the policy definition for Enforce-RG-Tags . Copy the below code in to the file and save it.

Now create a policy_definition_es_policy_enforce_resource_tags.json file. This file will contain the policy definition for Enforce-Resource-Tags . Copy the below code in to the file and save it.

Next create a policy_definition_es_policy_deny_nsg_nic.json file. This file will contain the policy definition for our last custom policy - Deny-NSG-NIC . Copy the below code in to the file and save it.

Create Custom Policy Set Definition

In your /lib directory create a policy_set_definitions subdirectory.

NOTE: Creating a policy_set_definitions subdirectory is a recommendation only. If you prefer not to create one or to call it something else, the custom policies will still work.

In the policy_set_definitions subdirectory, create a policy_set_definition_enforce_mandatory_tags.json file. This file will contain the Policy Set Definition for Enforce-Mandatory-Tags . The policy set will contain the Enforce-RG-Tags and Enforce-Resource-Tags custom policies that you previously created. Copy the below code in to the file and save it.

Create Custom Policy Assignment Files

In order to assign your custom policies or policy sets, you need to create policy assignment files. The first step is to create a policy_assignments subdirectory within /lib .

NOTE: Creating a policy_assignments subdirectory within \lib is a recommendation only. If you prefer not to create one or to call it something else, the custom policies will still work.

You will then need to create a file named policy_assignment_es_enforce_rg_tags.json within the policy_assignments directory. Copy the below code in to the file and save it.

Now create a file named policy_assignment_es_enforce_resource_tags.json within the policy_assignments directory. Copy the below code in to the file and save it.

Next create a file named policy_assignment_es_deny_nic_nsg.json within the policy_assignments directory. Copy the below code in to the file and save it.

Finally, create a file named policy_assignment_es_enforce_mandatory_tagging.json . Copy the below code in to the file and save it.

Make the Custom Policy Definitions and Policy Set Definition available for use

You now need to save your custom policy and policy set definitions at the es_root Management Group to ensure they can be used at that scope or any scope beneath. To do that, we need to extend the built-in archetype for es_root .

NOTE: Extending built-in archetypes is explained further in this article .

If you don't already have an archetype_extension_es_root.tmpl.json file within your custom /lib directory, create one and copy the below code in to the file. This code saves the custom policy definition and policy set definitions but we still haven't assigned them anywhere yet.

Assign the Enforce-Mandatory-Tags Custom Policy Set at the es_root Management Group

You now need to assign the Enforce-Mandatory-Tags policy set and in this example, we will assign it at es_root . To do this, update your existing archetype_extension_es_root.tmpl.json file with the below code and save it.

You should now kick-off your Terraform workflow (init, plan, apply) to apply the new configuration. This can be done either locally or through a pipeline. When your workflow has finished, the Enforce-Mandatory-Tags policy set will be assigned at es_root .

Assign the Deny-NIC-NSG Custom Policy Definition at the Landing Zones Management Group

As you have already saved the Deny-NIC-NSG Custom Policy Set at es_root , this gives us the ability to assign it at the es_root scope or at any scope beneath it. In this example, we will assign it at the Landing Zones Management Group. To do this, either update your existing archetype_extension_es_landing_zones.tmpl.json file or create one and copy the below code in to it and save.

You should now kick-off your Terraform workflow (init, plan, apply) again to apply the updated configuration. This can be done either locally or through a pipeline. When your workflow has finished, the Deny-NIC-NSG Policy Definition will be assigned at the Landing Zones Management Group.

You have now successfully created and assigned both a Custom Policy Definition and a Custom Policy Set Definition within your Azure environment. You can re-use the steps in this article for any Custom Policies of your own that you may wish to use.

This wiki is being actively developed

If you discover any documentation bugs or would like to request new content, please raise them as an issue or feel free to contribute to the wiki via a pull request . The wiki docs are located in the repository in the docs/wiki/ folder.

Azure landing zones Terraform module

• Getting started
• Module outputs
• Module permissions
• Module variables
• Module releases
• Module upgrade guidance
• Provider configuration
• Archetype definitions
• Core resources
• Management resources
• Connectivity resources
• Identity resources
• Video guides
• Deploy default configuration
• Deploy demo landing zone archetypes
• Deploy custom Landing Zone Archetypes
• Deploy connectivity resources (Hub and Spoke)
• Deploy connectivity resources (Virtual WAN)
• Deploy identity resources
• Deploy management resources
• Assign a built-in policy
• Create and assign custom RBAC roles
• Set parameter values for Policy Assignments
• Deploy multi region networking with custom settings (Hub and Spoke)
• Deploy multi region networking with custom settings (Virtual WAN)
• Deploy with Zero Trust network principles (Hub and Spoke)
• Deploy identity resources with custom settings
• Deploy management resources with custom settings
• Expand built-in archetype definitions
• Create custom policies, initiatives and assignments
• Override module role assignments
• Control policy enforcement mode
• Policy assignments with user assigned managed identities
• Deploy using module nesting
• Deploy using multiple module declarations with orchestration
• Deploy using multiple module declarations with remote state
• Frequently Asked Questions
• Troubleshooting
• Raising an issue
• Feature requests
• Contributing to code
• Contributing to documentation

Clone this wiki locally

Intune Policy Sets Collection of Workflows Admin Friendly MEM

Intune policy sets give a user-friendly experience to Intune admins . The screenshots are taken from the Ignite session slides and demos by Paul Mayfield, Terrell Cox, and Micro-Scott.

More details about the session details and recording are in the below section of the post.

Ignite 2019 Coverage

• Microsoft Endpoint Management SCCM Intune Windows Updates
• Microsoft Endpoint Manager is the future of SCCM Intune MEMMI MEMCM
• iOS Android macOS Mobile Enrollment Options with Intune
• Basics of Windows Dynamic Update Explained Update Management
• WVD End User Experience Availability Updates
• MSIX Updates from Ignite Reliability Network Disk-space
• Microsoft Learning Certification Exams Updates
• On-Prem WVD Options Azure Quantum Qualys Scan Integration
• Intune Reporting Strategies Advanced Reporting
• Intune Endpoint Security Policies Enhancements
• Intune Policy Sets Collection of Workflows

Intune Policy Sets

Intune policy sets and guided scenarios are helpful for new admins. They don’t have to search for each function within Microsoft Endpoint Manager/Intune portals, and the guided scenarios provide the best admin experience.

You can use policy sets to:

• Create Standard configurations
• Get up and running quickly (less learning curve for non-Intune admins)
• Group objects that need to be assigned together
• Assign your organization’s minimum configuration requirements on all managed devices
• Assign commonly used or relevant apps to all users
• Collection or group of workflows from Intune
• Assign to an Azure AD group and report aggregate

Intune Policy Set Configurations

Device Management portal (Microsoft Endpoint Manager)

https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/PolicySetMenuBlade/overview

Select the following groups of workflows

• Apps – Select one or more apps from the list of available apps
• App configuration policies – Select one or more Intune App configuration Policies
• App protection policies – Select one or more Intune APP

• Device configuration profiles – Select device configuration profiles
• Device compliance policies – Select the compliance policies you want to be part of the policy set
• Device type restrictions – Select the device type conditions to be part of the policy set

Select Device Enrollment workflows

• Windows autopilot deployment profiles
• Enrollment status page

Select Azure AD Device or User Groups and complete the Intune policy set assignment.

• Microsoft Endpoint Manager, including Microsoft Intune and Configuration Manager – https://myignite.techcommunity.microsoft.com/sessions/83532
• Use policy sets to group collections of management objects
• Policy Sets Known Issues

We are on WhatsApp . To get the latest step-by-step guides and news updates, Join our Channel.  Click here  – HTMD WhatsApp .

Anoop C Nair  is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

DEV Community

Posted on Oct 31, 2022

Bicep and Azure Policy: Manage Policy and Initiative Assignment

This is the third post about Azure Policy. This time, the post will focus on policy assignments with Azure Bicep and PowerShell. Policy assignment enforces a policy and a policy set at a given scope, management group, or subscription. This is where policies are applied to target resources.

A policy Assignment object has several properties:

• A name (limited to 24 characters at the management group scope, 64 characters for other scopes)
• A location, the Azure to store the operation metadata
• A display name, limited to 128 characters
• An identity object
• A description
• The enforcement mode, either default (enforced) or DonotEnforce
• A non-compliance object. The message will be displayed when resources are not compliant with the policy.
• A not scope array, to not apply the assignment at some management group or subscriptions
• A parameters object, to apply parameters for the policy for the assignment
• The Policy definition ID, resource ID of the policy definition, or the policy set

In Bicep language

The deployment of this bicep file could be done by the New-AzManagementGroupDeployment cmdlet. But like custom policy definitions and policy sets, you will certainly be asked to not assign only one policy. How can you manage several policy assignments in one place? This is the same problem we had with deploying policies. But even if a policy assignment can be seen as a JSON document, the amount of information needed to assign a policy is limited. Instead of using one JSON file per assignment, we can create a single JSON document with all assignments, but we need to take care of the scope.

the bicep file:

This Bicep file will deploy a policy assignment. As the deployment will be made via PowerShell, we need to convert the value of the parameters and the nonComplianceMessage properties from string to JSON with the JSON function in Bicep.

All the parameters needed for the deployment are stored in a JSON document.

There is one policy to assign but two assignments in the JSON document. It’s to illustrate the power of parameters in the assignment process. You can assign the same policy, multiple times, even at the same scope, as long as the name changes and the parameters are different.

Each object in the JSON document will serve to deploy the assignment via a PowerShell script.

The script read the content of the JSON document and for each object, it extracts the variable needed to deploy the bicep file. But there is a difficulty, the bicep nonComplianceMessages require a JSON array, but most of the time there will be only one message or no message at all (multiple messages are only used for policy set). And if there is only one message (or none) you will not end up with a JSON array, but a simple JSON object, so a modification is needed.

To deploy, simply run the deployAssignment.ps1 from its folder. You can add the "location" parameter to adjust the azure region for your needs.

You can find the related PwSh/Bicep code here

Top comments (0)

Templates let you quickly answer FAQs or store snippets for re-use.

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink .

Hide child comments as well

For further actions, you may consider blocking this person and/or reporting abuse

Create and Configure a Virtual Network with Four Subnets

Chidera Enyelu - Jul 12

Deploy Django to Azure - The Easy Way

Rachit Khurana - Jul 11

Using an Existing Windows VM To Create And Attach a Data Disk And Initialise It For Use.

Folashade Chijioke - Jul 9

**MICROSOFT APPLIED SKILL. Guided Project**

SethGiddy - Jul 9

We're a place where coders share, stay up-to-date and grow their careers.

Azure Policy: Starter Guide

My coworkers and teammates often reach out to me with similar questions regarding the best practices for creating and applying Azure Policy . That tendency encouraged me to compile this starter guide for Azure Policy, which is based on my practical experience in multiple projects and covers the 20% baseline that allows you to implement 80% of typical use cases, aka the Pareto principle .

Learn the topic

RTFM stands for “read the fucking manual,” bro.

Seriously, I mean, read the Microsoft Azure Policy docs first. Microsoft is doing a great job with documenting their services and solutions recently, and without knowing the basic Azure Policy principles, it will be really hard for you to grasp the concepts. After investigating what Azure Policy is for, I suggest looking through the list of built-in policies to get an idea about typical use cases for different Azure service types.

The two most important points to pay attention to initially are understanding Azure Policy effects and Azure Policy deployment scopes . The effects will give you some insights into what you can actually do with the policies. At the same time, the deployment scope will save you time for troubleshooting why you cannot assign a policy deployed at the subscription level to another subscription.

The evaluation of logical conditions in policy rules, I would say less critical. It might cause you some headache initially, but as soon as you understand how the double negation works, you shall be fine.

Although Azure policies can modify the configuration of existing Azure resources and even deploy new resources, I suggest starting with auditing resource configuration (Audit and AuditIfNotExists effects) and putting some guardrails (Deny effect) in your environment as the latter ones are easier to learn and understand.

Apart from the official documentation, I definitely recommend watching a few learning courses about Azure Governance on Pluralsight :

• Mastering Microsoft Azure Governance by James Bannan
• Microsoft Azure DevOps Engineer: Implementing Infrastructure Control and Compliance by John Savill

They are just a few hours long and can provide you with a really good starting point to advance your Azure Policy learning.

Make an assessment

“Think first before you act.” An unknown guru.

Before making any changes in your environment, i.e., assigning a new Azure Policy to your subscription, it is worth knowing first what policies are already in effect and their compliance results. Besides, assigned policies are evaluated in a specific order you should be aware of. Otherwise, it is easy to mess up your Azure environment: policies usually control something on a global scale (a whole subscription or management group), therefore impacting lots of resources.

In 80 percent of use cases, using the Azure portal to assess what existing policy and initiative assignments are and their compliance state will be the right choice – when there are only a few policies applied, no need to overcomplicate things.

In more advanced scenarios, when an organization already deployed dozens of custom Azure Policy definitions and extensively uses them at the management group level and on the individual subscriptions, manual assessment is somewhat complicated. Here I can suggest using AzGovViz – a community build solution (a PowerShell script) that can help you quickly create a comprehensive report in different formats containing all the details about Azure Policy configuration in your environment and more. You can event integrate AzGovViz with Azure DevOps pipelines to document the policy configuration as part of your deployments.

Create your policy

“Let’s roll up your sleeves and get to work!” A motivational speech.

Even though Microsoft already provided us with lots of useful built-in ready-to-use policies, I encourage you to not hurry on assigning them left and right. You will never understand how Azure Policy works to the full extent until you learn how to create and manage your custom policies.

A typical antipattern to avoid is dozens of individually assigned policies when they should be applied as a group via a policy initiative.

Firstly, you can look into the source code of built-in Azure policies (check the last column with the links to GitHub) and use it as a draft for your custom policy or initiative definitions. Alternatively, you can go straight to the Azure Policy Samples repository on GitHub , clone it, and explore with your coding tools.

Probably, the best coding experience with Azure Policy as of now is to use Visual Studio Code with Azure Policy extension for it . Additionally, I suggest installing the ARM Tools extension . It will significantly help you with syntax validation, snippets, and auto-completion if you decide to define your policies in ARM templates to make your deployment experience more consistent.

Recently, Microsoft has updated its docs with some ARM snippets for policy definitions , policy set definitions (aka policy initiatives), and their assignments . Still, those articles miss many nuances and details, and I suggest checking out my work on Azure Policies and my repository for sample Azure Policies on GitHub .

For more advanced cases, check the recent updates to Azure Policy on AzPolicyAdvertizer . As documenting new policies usually takes some time, AzPolicyAdvertizer closes that gap by providing short information about policies and recent changes to them.

A common use case is to duplicate a built-in policy logic in your custom definition completely. The reason for that is the way how Azure Policy engine handles updates to the existing definitions. When you update a definition, all existing policy assignment of it will automatically be using the new definition. Although there are some controls for backward compatibility, and Microsoft usually doesn’t introduce breaking changes in the existing definitions, many teams prefer to have full control over their configuration.

“Damn it! I said, test it first!” A senior developer, fixing a bug in production.

I honestly must warn you that testing Azure Policy is not an easy task. Nevertheless, I strongly encourage you to test your policy work before putting it into use. Considering the usual scope the policies are applied and the effects they can make (change configuration, deploy new resources), the results of careless policy assignments can be quite devastating to your environment.

First of all, you need to ensure that the syntax of your policy or initiative is correct. Whether you define your definitions in JSON policy format or ARM templates, the Visual Studio Code extensions mentioned above should help you find and fix basic syntax errors. If you stick with the ARM template option , you can use Test-Az*Deployment Azure PowerShell cmdlets to validate your templates’ syntax against Azure Resource Manager APIs. Unfortunately, the policy-related cmdlets in the Az.Resources module don’t support any testing options yet.

As a matter of caution, set the policy ‘enforcementMode’ parameter into the disabled state when creating assignments for your tested policies so you can safely audit their work results.

Secondly, be aware that Azure Policy assignments don’t come into effect immediately. There is a policy evaluation delay , which is around 30 minutes or so. Also, auditing your resources might take some time as the Azure Policy engine needs to evaluate all resources against policy rules within the assigned scope. In other words, you cannot test the results of your policy work immediately. Apart from that, the delay effectively complicates automated tests for Azure Policy.

Although there is an option to initiate an on-demand evaluation scan , it still won’t make the whole process much faster if a policy needs to process thousands of resources.

Due to all the complications, I would say that the testing process for your policies will be manual or semi-manual in most cases. You will validate the syntax, deploy the definitions into a test environment, i.e., a dedicated subscription, assign them to a test scope, deploy some resources to test the expected policy behavior, and check results on the portal . In the end, the code for Azure Policy is not something that is often updated, and manual testing can be a reasonable tradeoff to creating automated test cases.

However, in advanced scenarios, when you need to create and maintain more than a handful of simple policies, creating automated Azure Policy tests as part of your CI/CD pipeline is a must. I’m planning to cover this topic in detail in a separate post as it requires quite a lot of explanation not explicitly tied to Azure Policy.

“Do. Or do not. There is no try.” Master Yoda to young Skywalker.

As I already mentioned, before actually deploying your custom policy or initiative definitions, you should clearly understand what the deployment scopes are. Besides, you should also understand how Azure Policy inclusions, exclusions, and exemptions work. Apart from that, you should have a clear distinction between a policy/initiative definition and its assignment: you should deploy the definition and assign it to your scope to make your Azure policy work.

Technically, you can deploy policies and create assignments using any supported method: the portal, Azure CLI, Azure PowerShell, Azure REST API, etc . It’s really up to you to choose which one o them fits your configuration management and deployment practices.

When I started working with Azure Policy myself, I was a bit frustrated with the default programming experience of maintaining two separate files for each definition and came up with a solution on how to deploy Azure Policy with ARM templates . However, things have changed since then, and now the policies are defined in a single file . A slight improvement, but the Azure PowerShell cmdlets still require lots of additional parameters that should be duplicated on their usage.

Optionally, you can try using the AzOps deployment framework, which could be a good choice for large environments when you run your Azure Governance as a separate project.

Just be consistent in the way you do your deployments and preferably manage Azure Policy as a part of your CI/CD pipelines .

Check the results

“A man reaps what he sows” A proverb.

Finally, your first policy is deployed, the assignment is created, and it’s time to see what we have got.

Remember about the time it takes for policy to come into effect and evaluate your resources .

Using the Azure portal to get Azure Policy compliance results would be the most obvious and probably the most reasonable choice at the beginning – it won’t heart to keep things simple.

For advanced scenarios, when you are already proficient with managing Azure Policy from deployment pipelines, you might want to check how you can get Policy insights with code to evaluate them in your test cases. Also, take a look at the Az.PolicyInsights PowerShell module, and what kind of data you can extract with it.

In conclusion

Just reading this guide won’t make you an expert in Azure Policy. For that, you need to have some practice too. So, give it a try – look into your Azure infrastructure, find some areas you can improve with Azure Policy (trust me, there is always something that can be improved 😉), come up with a solution, test it, apply and reap the benefits!

If you have any questions about this topic, put them in the comments below 👇.

Written by:

Andrew Matveychuk

Member discussion:.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Use policy sets to group collections of management objects

• 9 contributors

Policy sets allow you to create a bundle of references to already existing management entities that need to be identified, targeted, and monitored as a single conceptual unit. A policy set is an assignable collection of apps, policies, and other management objects you've created. Creating a policy set enables you to select many different objects at once, and assign them from a single place. As your organization changes, you can revisit a policy set to add or remove its objects and assignments. You can use a policy set to associate and assign existing objects, such as apps, policies, and VPNs in a single package.

For a list of known issues related to policy sets, Policy sets known issues .

Policy sets don't replace existing concepts or objects. You can continue to assign individual objects and you can also reference individual objects as part of a policy set. Therefore, any changes to those individual objects will be reflected in the policy set.​

You can use policy sets to:

• Group objects that need to be assigned together
• Assign your organization's minimum configuration requirements on all managed devices
• Assign commonly used or relevant apps to all users

You can include the following management objects in a policy set:

• App configuration policies
• App protection policies
• Device configuration profiles
• Device compliance policies
• Windows autopilot deployment profiles
• Enrollment status page
• Settings catalog policies

As of September 2021, enrollment restrictions based on device type can no longer be included in policy sets. For more information about how to create enrollment restrictions, see Set enrollment restrictions .

When you create a policy set, you create a single unit of assignment, and manage associations between different objects. A policy set will be a reference to objects external to it. Any changes in the included objects will affect the policy set as well. After you create a policy set, you can repeatedly view and edit its objects and assignments.

Policy sets support Windows, Android, macOS, and iOS/iPadOS settings, and can be assigned cross-platform.

How to create a policy set

Sign in to the Microsoft Intune admin center .

Select Devices > Policy Sets > Policy sets > Create .

On the Basics page, add the following values:

• Policy set name - Provide a name for this policy set.
• Description - Optionally, provide a description for the policy set.

Click Next: Application management . On the Application management page you can optionally add apps , app configuration policies , and app protection policies to your policy set. For information about app management, see What is Microsoft Intune app management? .

Click Next: Device management . The Device management page allows you to add device management objects to your policy set, such as device configuration profiles and device compliance policies . Be sure to include all associated objects, such as other policies, certificates, and security baseline profiles.

Click Next: Device enrollment . The Device enrollment page allows you to add device enrollment objects to your policy set, such as Windows Autopilot deployment profiles , and enrollment status page profiles .

Click Next: Assignments . The Assignments page allows you can assign the policy set to users and devices. It's important to note that you can assign a policy set to a device whether or not the device is managed by Intune.

Click Next: Review + create to review the values you entered for the profile.

When you're done, click Create to create the policy set in Intune.

Policy sets known issues

Policy sets, new to 1910, have the following known issues.

When creating a policy set, if a scoped admin tries to create a policy set without any scope tags selected, upon reaching the Review + Create page, validation will fail and an error will be displayed on the status bar. The admin must switch to a different page in the process, then return to the Review + Create page. This will enable the Create option.

The following app types are currently supported by policy sets:

• iOS/iPadOS store app
• iOS/iPadOS line-of-business app
• Managed iOS/iPadOS line-of-business app
• Android store app
• Android line-of-business app
• Managed Android line-of-business app
• Microsoft 365 Apps (Windows 10 and later)
• Microsoft 365 Apps (macOS)
• Microsoft Edge (Windows 10 and later)
• Microsoft Edge (macOS)
• Microsoft Defender ATP (macOS)
• Windows MSI line-of-business app
• Built-In iOS/iPadOS app
• Built-In Android app

Policy sets supports a subset of Intune App, Policy and Platform types. If an app or policy type is not available in the Policy Set picker experience, it is not officially supported.

Setting a policy set assignment of All Users to Autopilot Profile is unsupported.

Policy sets have the following enrollment restrictions and Enrollment Status Page (ESP) issues:

• Restrictions and ESP don't support virtual group assignments.
• Restrictions and ESP don't strictly support exclusion group assignments.
• Restrictions and ESP use priority-based conflict resolution. Restrictions and ESP might not be applied to the same users as the rest of a policy set's payloads if the restrictions and ESP are also targeted by a higher priority restriction and ESP.
• The default restrictions and ESP can't be added to a policy set.

MAM policy types that support policy sets include the following:

• MAM WIP (Windows) MDM targeted managed app protection

MAM iOS/iPadOS targeted managed app protection

MAM Android targeted managed app protection

MAM iOS/iPadOS targeted managed app configuration

MAM Android targeted managed app configuration

MAM policy types that don't support policy sets include the following:

• MAM WIP (Windows) targeted managed app protection

MAM processes policy set assignments as direct assignments for the following policy types:

If a policy is added to a policy set that is deployed to a group, the group would show as directly assigned in the workload, not "assigned via the policy set". As a result of this, MAM doesn't process group assignment deletions coming from policy sets.

MAM doesn't support deployment to All Users and All Devices virtual groups for any policy types.

The Device Configuration Profile of type "Administrative Templates" can't be selected as part of a policy set.

• Enroll devices in Microsoft Intune

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

JSON Schema

Recommendations.

• Policy Assignment Files
• CSV Assignment Parameters
• Policy Exemptions

Policy Set (Initiative) Definitions

Initiative (policy set) definition files.

Policy Set definition files are managed within the folder policySetDefinitions under Definitions . The definition files are structured based on the official Azure Initiative definition structure published by Microsoft. There are numerous definition samples available on Microsoft's GitHub repository for azure-policy .

The names of the definition JSON files don't matter, the Policy Sets are registered based on the name attribute. The solution also allows the use of JSON with comments by using .jsonc instead of .json for the file extension.

Policy Definition Groups

Optional: Policy definition groups allow custom Policy Sets to map to different regulatory compliance requirements. These will show up in the regulatory compliance blade in Azure Security Center as if they were built-in. In order to use this, the custom Policy Sets must have both policy definition groups and group names defined.

• Policy definition groups must be pulled from a built-in Policy Sets, such as, the Microsoft cloud security benchmark Policy Set .
• Policy definition groups can be imported by using importPolicyDefinitionGroups . The following imports the groups from Azure Security Benchmark.

The GitHub repo contains a JSON schema which can be used in tools such as VS Code to provide code completion.

To utilize the schema add a $schema tag to the JSON file.

• "name" is required and should be unique. It can be a GUID or a unique short name.
• "category" should be one of the standard ones defined in built-in Policies.
• Custom Policies: must use policyDefinitionName . The solution constructs the policyDefinitionId based on the deploymentRootScope in global-settings.jsonc .
• Builtin Policies: must use policyDefinitionId .
• Do not specify an id . The solution will ignore it.
• Make the effects parameterized

It is customary to include a category and a version in the metadata section. The category should be one of the standard ones defined in built-in Policy Sets. The version should be a semantic version number.

EPAC injects deployedBy into the metadata section. This is a string that identifies the deployment source. It defaults to epac/$pacOwnerId/$pacSelector . You can override this value in global-settings.jsonc

Not recommended: Adding deployedBy to the metadata section in the Policy definition file will override the value for this definition only from global-settings.jsonc or default value.

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Accessing and assigning policies inside a policy initiative in Azure using Terraform

I have a policy initiative in Azure, consisting of multiple policies, say 30 of them together. I mean inside the policy initiative, there are 30 policies. Now, owing to terraform's azurerm_policy_set_definition, (or we can assume the policy initiative definition to already exist as well) the entire policy initiative set can be assigned using the policy_assignment block where one can pass :

Now my question is, what if I want to assign selectively among these total of 30 policies in the initiative based on some condition...for example I wish to exclude some 5 policies, (all of their separate ids are present in the initiative). I'm new to terraform and thus, it may be said that I'm looking for a kind of an "IN" equivalent w.r.t other programming languages.

Like talking of a "pythonic way", if we had an array of numbers L=[ 10, 3, 4, 5, 6, 200 ], we can access elements of this array as L[i] and check a number,x for existence in the array through " if x in L "...

In a similar way, could anyone please help me on whether policies which are members of a policy initiative set, can be accessed individually in Terraform ( for instance like in a loop through an array ) and then deployed to azure through a policy_assignment block if they meet a set of conditions ?

• terraform-provider-azure
• azure-policy

• Can you provide example of your azurerm_policy_set_definition ? You have thirty sets? –  Marcin Commented Feb 15, 2021 at 12:32
• Hii @Marcin...there exists a single policy initiative in azure and it has 30 policies defined therein. And when I pass the id of that initiative to the assignment block, the entire initiative gets assigned with 30 inside.I now want to access each of these 30 individually. –  Swarnabja Bhaumik Commented Feb 15, 2021 at 12:57
• @Marcin, it may also be thought that the policy initiative pre-exists like we really don't need to write a azurerm_policy_set_definition for it at the moment. My doubt is regarding assignment and while the entire initiative gets assigned with a single policy_assignment block, my question is can we assign selectively...like a hypothetically desired subset of the 30 policies belonging to the initiative ? –  Swarnabja Bhaumik Commented Feb 15, 2021 at 13:20
• Just like policy initiatives in azure are a group or collection of policies, I want to access each them individually using terraform in a kind of a loop based mechanism, is that possible @Marcin –  Swarnabja Bhaumik Commented Feb 15, 2021 at 14:53

Know someone who can answer? Share a link to this question via email , Twitter , or Facebook .

Your answer.

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Browse other questions tagged azure terraform terraform-provider-azure azure-policy or ask your own question .

• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Introducing an accessibility dashboard and some upcoming changes to display...
• Tag hover experiment wrap-up and next steps

Hot Network Questions

• Short story probably in Omni magazine in the 1980s set in a cyberpunk bar… but it's 1899 or so
• FT232 stops being recognized after wiring ESP-01S on Ubuntu
• How much does flight help the ranger?
• Publishing job reports a failure with the message "There was an error performing the publish during stage"
• Refereeing papers by people you are very close to
• What was the first science fiction story set in the future?
• WW2 Bombers continuing on one of 2 or 4 engines, how would that work?
• If moral behaviour exists without free will, is it irrational to praise it?
• Do comets ever run out of water?
• Tensor algebra and universal enveloping algebra
• Does full erase create all 0s or all 1s on the CD-RW?
• Tips/strategies to managing my debt
• What is the lowest feasible depth for lightly-armed-and-armored military submarines designed around the 1950s-60s?
• If pressure is caused by the weight of water above you, why is pressure said to act in all direction, not just down?
• How many kinds of contradictions are there?
• Earliest example of space travel involving interdimensional 'shortcuts'
• Design patterns - benefits of using with Apex code
• Counting them 100 years later
• In classical regression, are residuals uncorrelated?
• Operator-precedence calculator in C
• Utilising Paired T-test but data is not normally distributed and there are outliers
• Story about immortality machine
• In Norway, when number ranges are listed 3 times on a sign, what do they mean?
• Can the Bible be the word of God, when there are multiple versions of it?

How to cite ChatGPT

Use discount code STYLEBLOG15 for 15% off APA Style print products with free shipping in the United States.

We, the APA Style team, are not robots. We can all pass a CAPTCHA test , and we know our roles in a Turing test . And, like so many nonrobot human beings this year, we’ve spent a fair amount of time reading, learning, and thinking about issues related to large language models, artificial intelligence (AI), AI-generated text, and specifically ChatGPT . We’ve also been gathering opinions and feedback about the use and citation of ChatGPT. Thank you to everyone who has contributed and shared ideas, opinions, research, and feedback.

In this post, I discuss situations where students and researchers use ChatGPT to create text and to facilitate their research, not to write the full text of their paper or manuscript. We know instructors have differing opinions about how or even whether students should use ChatGPT, and we’ll be continuing to collect feedback about instructor and student questions. As always, defer to instructor guidelines when writing student papers. For more about guidelines and policies about student and author use of ChatGPT, see the last section of this post.

Quoting or reproducing the text created by ChatGPT in your paper

If you’ve used ChatGPT or other AI tools in your research, describe how you used the tool in your Method section or in a comparable section of your paper. For literature reviews or other types of essays or response or reaction papers, you might describe how you used the tool in your introduction. In your text, provide the prompt you used and then any portion of the relevant text that was generated in response.

Unfortunately, the results of a ChatGPT “chat” are not retrievable by other readers, and although nonretrievable data or quotations in APA Style papers are usually cited as personal communications , with ChatGPT-generated text there is no person communicating. Quoting ChatGPT’s text from a chat session is therefore more like sharing an algorithm’s output; thus, credit the author of the algorithm with a reference list entry and the corresponding in-text citation.

When prompted with “Is the left brain right brain divide real or a metaphor?” the ChatGPT-generated text indicated that although the two brain hemispheres are somewhat specialized, “the notation that people can be characterized as ‘left-brained’ or ‘right-brained’ is considered to be an oversimplification and a popular myth” (OpenAI, 2023).

OpenAI. (2023). ChatGPT (Mar 14 version) [Large language model]. https://chat.openai.com/chat

You may also put the full text of long responses from ChatGPT in an appendix of your paper or in online supplemental materials, so readers have access to the exact text that was generated. It is particularly important to document the exact text created because ChatGPT will generate a unique response in each chat session, even if given the same prompt. If you create appendices or supplemental materials, remember that each should be called out at least once in the body of your APA Style paper.

When given a follow-up prompt of “What is a more accurate representation?” the ChatGPT-generated text indicated that “different brain regions work together to support various cognitive processes” and “the functional specialization of different regions can change in response to experience and environmental factors” (OpenAI, 2023; see Appendix A for the full transcript).

Creating a reference to ChatGPT or other AI models and software

The in-text citations and references above are adapted from the reference template for software in Section 10.10 of the Publication Manual (American Psychological Association, 2020, Chapter 10). Although here we focus on ChatGPT, because these guidelines are based on the software template, they can be adapted to note the use of other large language models (e.g., Bard), algorithms, and similar software.

The reference and in-text citations for ChatGPT are formatted as follows:

• Parenthetical citation: (OpenAI, 2023)
• Narrative citation: OpenAI (2023)

Let’s break that reference down and look at the four elements (author, date, title, and source):

Author: The author of the model is OpenAI.

Date: The date is the year of the version you used. Following the template in Section 10.10, you need to include only the year, not the exact date. The version number provides the specific date information a reader might need.

Title: The name of the model is “ChatGPT,” so that serves as the title and is italicized in your reference, as shown in the template. Although OpenAI labels unique iterations (i.e., ChatGPT-3, ChatGPT-4), they are using “ChatGPT” as the general name of the model, with updates identified with version numbers.

The version number is included after the title in parentheses. The format for the version number in ChatGPT references includes the date because that is how OpenAI is labeling the versions. Different large language models or software might use different version numbering; use the version number in the format the author or publisher provides, which may be a numbering system (e.g., Version 2.0) or other methods.

Bracketed text is used in references for additional descriptions when they are needed to help a reader understand what’s being cited. References for a number of common sources, such as journal articles and books, do not include bracketed descriptions, but things outside of the typical peer-reviewed system often do. In the case of a reference for ChatGPT, provide the descriptor “Large language model” in square brackets. OpenAI describes ChatGPT-4 as a “large multimodal model,” so that description may be provided instead if you are using ChatGPT-4. Later versions and software or models from other companies may need different descriptions, based on how the publishers describe the model. The goal of the bracketed text is to briefly describe the kind of model to your reader.

Source: When the publisher name and the author name are the same, do not repeat the publisher name in the source element of the reference, and move directly to the URL. This is the case for ChatGPT. The URL for ChatGPT is https://chat.openai.com/chat . For other models or products for which you may create a reference, use the URL that links as directly as possible to the source (i.e., the page where you can access the model, not the publisher’s homepage).

Other questions about citing ChatGPT

You may have noticed the confidence with which ChatGPT described the ideas of brain lateralization and how the brain operates, without citing any sources. I asked for a list of sources to support those claims and ChatGPT provided five references—four of which I was able to find online. The fifth does not seem to be a real article; the digital object identifier given for that reference belongs to a different article, and I was not able to find any article with the authors, date, title, and source details that ChatGPT provided. Authors using ChatGPT or similar AI tools for research should consider making this scrutiny of the primary sources a standard process. If the sources are real, accurate, and relevant, it may be better to read those original sources to learn from that research and paraphrase or quote from those articles, as applicable, than to use the model’s interpretation of them.

We’ve also received a number of other questions about ChatGPT. Should students be allowed to use it? What guidelines should instructors create for students using AI? Does using AI-generated text constitute plagiarism? Should authors who use ChatGPT credit ChatGPT or OpenAI in their byline? What are the copyright implications ?

On these questions, researchers, editors, instructors, and others are actively debating and creating parameters and guidelines. Many of you have sent us feedback, and we encourage you to continue to do so in the comments below. We will also study the policies and procedures being established by instructors, publishers, and academic institutions, with a goal of creating guidelines that reflect the many real-world applications of AI-generated text.

For questions about manuscript byline credit, plagiarism, and related ChatGPT and AI topics, the APA Style team is seeking the recommendations of APA Journals editors. APA Style guidelines based on those recommendations will be posted on this blog and on the APA Style site later this year.

Update: APA Journals has published policies on the use of generative AI in scholarly materials .

We, the APA Style team humans, appreciate your patience as we navigate these unique challenges and new ways of thinking about how authors, researchers, and students learn, write, and work with new technologies.

American Psychological Association. (2020). Publication manual of the American Psychological Association (7th ed.). https://doi.org/10.1037/0000165-000

Related and recent

Comments are disabled due to your privacy settings. To re-enable, please adjust your cookie preferences.

APA Style Monthly

Subscribe to the APA Style Monthly newsletter to get tips, updates, and resources delivered directly to your inbox.

Welcome! Thank you for subscribing.

APA Style Guidelines

Browse APA Style writing guidelines by category

• Abbreviations
• Bias-Free Language
• Capitalization
• In-Text Citations
• Italics and Quotation Marks
• Paper Format
• Punctuation
• Research and Publication
• Spelling and Hyphenation
• Tables and Figures

Full index of topics

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Set-Role Assignment Policy

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Set-RoleAssignmentPolicy cmdlet to modify existing management role assignment policies in your organization.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax .

Description

You can use the Set-RoleAssignmentPolicy cmdlet to change the name of an assignment policy or to set the assignment policy as the default assignment policy.

For more information about assignment policies, see Understanding management role assignment policies .

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet .

This example changes the default assignment policy. New mailboxes or mailboxes moved from previous versions of Exchange are assigned the default assignment policy when an explicit assignment policy isn't provided.

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

• Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false .
• Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.

-Description

The Description parameter specifies the description that's displayed when the role assignment policy is viewed using the Get-RoleAssignmentPolicy cmdlet. Enclose the description in quotation marks (").

-DomainController

This parameter is available only in on-premises Exchange.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.

The Identity parameter specifies the name of the assignment policy to modify. If the name contains spaces, enclose the name in quotation marks (").

The IsDefault switch makes the assignment policy the default assignment policy. You don't need to specify a value with this switch.

New mailboxes or mailboxes moved from previous versions of Exchange are assigned the default assignment policy when an explicit assignment policy isn't provided.

The Name parameter specifies the new name of the assignment policy. If the assignment policy name contains spaces, enclose the name in quotation marks ("). The maximum length of the name is 64 characters.

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types . If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types . If the Output Type field is blank, the cmdlet doesn't return data.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources