Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
Azure policy - how to apply a policy on specific resources
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 44%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MarcVanderhaegen
286
Reputation points
Hello,
I would like to test the new CIS Security Benchmarks for Windows Server by deploying the policy but only on a few resources. (arc onboarded machines)
How is this possible ?
In the Basics of the policy assignment, you can choose the scope but you can only select a susbcription and a resource group, you can not select specific resources.
On the contrary, in the Exclusions, you can go down from subscription to specific resources.
So what I try is selecting my resource group and in the exclusion selecting on all the resources from the resource group except my few test machines.
Unfortunately this doesn't work; when selecting Review+Create I get an error message 'The request contant could not be read. Internal Error : request body too large'
I am sure it come from the fact that I have 16836 resources in the exclusions.
Here is a screenshot :
But even if it was working i would be the right way to do it because if a new resource was added to the resource group it would automatically get the policy as it wouldn't have been added to the exclusions.
So what is the best way to achieve this ?
Thanks for your help
Marc
Azure Policy
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBY%3C/text%3E%3C/svg%3E)
Bharath Y P 9,215 Reputation points Microsoft External Staff Moderator2026-06-02T07:44:04.4833333+00:00 Hello MarcVanderhaegen, thank you for posting your query on Microsoft Q&A platform.
We are looking into your issue and will keep you posted updates. Thanks
-
MarcVanderhaegen 286 Reputation points
2026-06-02T09:12:37.7533333+00:00 Thank you.
Just to let you know that changing the specific devices from resource group is not an option for us as it would be too complicated to adapt all our processes in place to manage devices in multiple resource groups. -
MarcVanderhaegen 286 Reputation points
2026-06-02T10:24:30.7766667+00:00 Hello,
I have found a workaround to my problem.
By going on each machine individually it is possible to assign a policy and at this moment the scope is directly the resource.
For example, I went in Arc and selected a machine, went to Operations - Policy and then I was able to apply the CIS benchmark only to this machine.
It is not the way I was looking for but for now it is ok.
Isn't it possible for Microsoft to offer the same possibilites as in Azure Update Manager ? In Azure Update Manager you have the option to choose dynamic scopes and/or select direct resources. That would be a nice addon.Marc
-
Bharath Y P 9,215 Reputation points Microsoft External Staff Moderator
2026-06-02T10:43:07.7633333+00:00 Hello MarcVanderhaegen, thank you for your update, Currently, Azure Policy doesn’t support dynamic scoping similar to Azure Update Manager. Policy assignments are based on a static scope model (management group, subscription, resource group, or resource), and dynamic grouping of resources based on filters like tags isn’t supported at assignment time.Azure Update Manager uses a different approach, where scopes can be dynamically evaluated at runtime based on defined criteria, which provides more flexibility for operational tasks such as patching.
Currently, this capability is not available in Azure Policy. Policy assignments are based on a static scope model (management group, subscription, resource group, or individual resource), and dynamic scoping similar to Azure Update Manager is not supported today.
However, your feedback is valid and aligns with a known feature gap, and similar enhancements are being tracked internally.
In the meantime, we encourage you to share this requirement directly with the product team through the Azure Feedback Portal. Your input helps drive product improvements and prioritize new features. You can submit your feedback here: Azure Feedback Portal
Thank you for taking the time to provide this valuable suggestion.
-
MarcVanderhaegen 286 Reputation points
2026-06-02T14:07:07.0266667+00:00 Hello @Bharath Y P
Thanks for your answer, i will submit a feedback for this as you suggested.
I will also create another post about this because even if I was able to deploy the policy to a single machine, it doesn't seem to be applied correctly and I don't get any result. -
Bharath Y P 9,215 Reputation points Microsoft External Staff Moderator
2026-06-03T01:30:49.8133333+00:00 Hello MarcVanderhaegen, Thanks for the update, Hope the information shared was helpful. If so, please consider accepting the answer and upvoting. Feel free to reach out if you need any further assistance. Thank you.
Sign in to comment
Sign in to answer