What is the point of having double negatives in Azure policy?

Gregory Suvalian 186 Reputation points
2020-05-19T16:52:08.54+00:00

I'm trying to make sense of Microsoft built-in policy for security center which verifies custom subscription owner role and it has following as part of condition.
What is the point of having code below? Why not just use single In condition instead of "not": "notIn" 

        {
          "not": {
            "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
            "notIn": [
              "[concat(subscription().id,'/')]",
              "[subscription().id]",
              "/"
            ]
          }
        }
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
781 questions
0 comments
Accepted answer
  1. DCtheGeek-MSFT 451 Reputation points Microsoft Employee
    2020-05-19T19:05:24.7+00:00

    The complexity around this is the [*] alias, which indicates an array of elements. A simple in comparison requires that all array elements validate true. A not and notIn combination (double negative) can be used for evaluating one or more matches (as opposed to all or none). There's a table in the docs that shows the different combinations of conditions and the scenario's they work with: https://learn.microsoft.com/azure/governance/policy/how-to/author-policies-for-arrays#evaluating-the--alias

    Going forward, I would recommend using the count expression for your [*] alias use instead. count gives improved control over the none/some/all scenarios and makes other scenarios possible as well. Additionally, it can evaluate a set of properties on a single alias with different conditions. For more information and examples of count, see: https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#count

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest