Azure Default Policy preventing us creating or amending resources

Question

Came into work after a weekend, and we noticed that Azure resources (VM's, AVD, Storage accounts etc), would not lets us create or amend settings because of a deny error with the Azure Default Policy (error below)

Resource '#########' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Default Azure Policy","id":"/subscriptions/########-#####-####-####-############/providers/Microsoft.Authorization/policyAssignments/#######-####-####-####-############"},"policyDefinition":{"name":"#######-####-####-####-#########","id":"/subscriptions/#######-####-####-####-#########/providers/Microsoft.authorization/policyDefinitions/#######-####-####-####-#########"}}]'. (Code: RequestDisallowedByPolicy, Target: ###-AVD-####-####)

Checking the compliance screen shows the policy is uncompliant, however when I click to into the policy, there are no resources shown, and it says we are compliant.

I must admit, this is a grey area for me so not sure what it should look like anyway, but to the best of my knowledge, nothing has changed and unfortunately, I am completely stumped on how best to reslve this.

Any help or advice the forum can give, would be very appreciated.

Thanks

Graham

Answer 1

I understand how frustrating it can be to encounter issues like this, especially after a weekend. It seems you’re encountering a RequestDisallowedByPolicy error related to the Azure Default Policy, which is preventing you from creating or amending resources in your Azure environment.

Check the Activity Log in the Azure portal to see if there were any recent changes to the policy assignments or definitions. This can help identify if someone made changes that could have caused the issue.

The error message includes a policyAssignment and policyDefinition. Take note of these details as they will help you pinpoint the specific policy causing the issue.

In your case, the error message indicates that the resource was disallowed by a specific policy assignment. The policy identifiers provide details about the policy that caused the issue.

Scenario 1: Changing Minimum TLS Version:

Let’s consider an example where you tried to change the “Minimum TLS version” from “Version 1.2” to “Version 1.1,” but the operation failed.

The error message likely points to a specific policy (policy ID: fe83a0eb-a853-422d-aac2-1bffd182c5d0) that enforces a minimum TLS version of 1.2 or higher.

To resolve this:

Keep the minimum TLS version unchanged (recommended).

Remove or disable the policy assignment (consult your policy admin).

Create a policy exemption (consult your policy admin).

Scenario 2: Non-Compliant Resources:

You mentioned that the compliance screen shows the policy as non-compliant, but when you check the policy details, no resources are displayed.

To investigate further:

Ensure you’re looking at the correct policy assignment.

Check the compliance status for the specific policy by selecting “Non-compliant” in the drop-down list.

Click “Details” to review compliance details.

Next Steps:

Verify the policy assignment and definition associated with the error.

Understand the policy requirements (e.g., minimum TLS version) and compare them with your resource settings.

If you’re unsure, consider reaching out to your organization’s Azure experts or support team for further assistance. I hope this helps you troubleshoot the issue.