Share via

Azure Policy - Remediation task not running on newly deployed resource

Inbal Silis 116 Reputation points Microsoft Employee
2023-03-26T11:31:59.9533333+00:00

Hi.

I created new policy that assign data collection EP to VM inside existing data collection rule.

I provided this policy to my customer.

The policy running on existing VMs in data collection rule, but when customer create new VM, the policy mark the VM as non compliance.

When customer create remediation task, the remediation task manages to assign data collection end point to the VMs and the policy working!

Any idea why the policy can work only in manual remediation mode?

This is the policy customer runing:

https://github.com/inbalsilis/Defender-Policy/blob/main/AMPLS/Policy/%5BAMPLS%20Custom%5D:%20Configure%20Ass%20to%20link%20Azure%20Arc%20to%20user-defined%20Microsoft%20Defender%20for%20Cloud%20Data%20Collection%20Rule%20and%20EP

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,973 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
820 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patchfox 3,806 Reputation points
    2023-03-26T17:55:52.2733333+00:00

    Hi Inbal Silis, I hope I can help you with this question.

    Remediation tasks are performed automatically only on newly created resources.

    For already existing resources, the policy for the "DeployIfNotExists" effect always evaluates only the state but does not perform any remediation tasks automatically - unless it is explicitly specified when assigning the policy (but then also runs only once). The Remediation can be executed thereby purposefully with certain resources.

    Generally, there are 3 options to perform a remediation.

    1.) From the Remediation page

    2.) From a non-compliant policy assignment

    3.) during policy assignment (as already mentioned)

    You can find more information on the following page:

    https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal

    If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

  2. AnuragSingh-MSFT 21,236 Reputation points
    2023-03-27T11:27:48.8333333+00:00

    @Inbal Silis , Please note that the deployment to new resource being created, does not happen through "remediation task". Remediation task is only used to remediate existing resources or such resources for which deployment could not be done through DeployIfNotExists effect, after they were marked non-compliant.

    The deployment through Azure Policy's DeployIfNotExists depends on EvaluationDelay property. It is optional and in the absence of this property a delay of 10 minutes is considered for evaluation and deployment. One of the reasons for the deployment to not have taken in effect is that you are checking the resource right after creation. In the absence of EvaluationDelay property, it will take atleast 10 minutes (default) for the deployment to start.

    Another case could be that the policy was saved/assigned at Management Group scope. In such a case, the identity associated with the deployment template does not get the correct permission associated with it OR that the permission could not be granted when the policy was being assigned (due to lack of permission of the policy assigner). The evaluation works but it would put the resources in non-compliant state and a manual remediation task is required to remedy them.

    Please check if the scenario falls under either of the 2 criteria.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out, else please click Accept answer so that it can help others in the community looking for help on similar topics.