Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
70 questions
Not getting the excludedActions on an Azure Bluerprint to work
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 97%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Erwin Staal
1
Reputation point MVP
Hi all,
I'm deploying a Blueprint that contains a Recovery Services Vault. That Blueprint gets the read only lock. Now I want others, who are contributor on the particular resource group, to be able to still add a machine to that Recovery Services Vault. I therefore added the following action to the list of excludedActions on the blueprint: 'Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write' like so:
"locks": {
"mode": "AllResourcesReadOnly",
"excludedActions": [
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write"
]
}
I however still get the error message saying that the deny assignment is blocking me from doing that. Nor do I see the above action in the deny assignment on the resource group as an exclusion.
Redacted error:
The client ‘<me>’ with object id '' has permission to perform action 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/write' on scope '/subscriptions/<sub>/resourcegroups/<group>/providers/Microsoft.RecoveryServices/vaults/<VaultName>/backupFabrics/Azure/protectionContainers/<item>/protectedItems/<item>’; however, the access is denied because of the deny assignment with name 'Deny assignment ‘<assignmentId>’ created by Blueprint Assignment '/providers/Microsoft.Management/managementGroups/<group>/providers/Microsoft.Blueprint/blueprintAssignments/<sub>-LockedBlueprintAssignment'.' and Id ‘<assignmentId>’ at scope '/subscriptions/<subId>/resourceGroups/<group>/providers/Microsoft.RecoveryServices/vaults/<vaultName>’.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SwathiDhanwada-MSFT 17,726 Reputation points2021-03-25T16:07:13.08+00:00 @Erwin Staal Welcome to Microsoft Q & A Community Forum. Are you still being prompted with the issue ? Also, can you please let me know if you have waited for 30 min to test if the lock is working or not ? Sometimes, due to cache you may have been prompted with an error. Kindly check and revert if you have further questions.
-
SwathiDhanwada-MSFT 17,726 Reputation points
2021-03-30T08:13:23.077+00:00 @Erwin Staal Did you get chance to check my previous comment ? Kindly revert if you are still facing the issue.
Sign in to comment