In Azure Pipelines; why does ARM template deployment create Azure resources when deployment mode is 'Validation'?

Question

I am experimenting a bit with infrastructure as code using Bicep.

I have a few resources defined in a Bicep template. The resources are deployed to Azure using the task AzureResourceManagerTemplateDeployment@3 in Azure Pipelines.

In that task you can define a deploymentMode: Validation, Incremental or Complete.

Before actually deploying the resources with deploymentMode: 'Incremental', I wanted to validate the template with deploymentMode: 'Validation'. Unexpectedly, the defined resources were created. To my understanding, Validation will create the resource group if it does not exist, but not the resources.

Just to add to the above: If the resources already existed, Validation did not override them in any way, as expected.

The resources in question are an Azure Container App and its Container App Environment.

This is the pipeline task in question and how I use it:

          - task: AzureResourceManagerTemplateDeployment@3
            inputs:
              deploymentScope: 'Resource Group'
              action: 'Create Or Update Resource Group'
              resourceGroupName: '$(resourceGroup)'
              location: '$(azureRegion)'
              templateLocation: 'Linked artifact'
              csmFile: '$(templateFile)'
              csmParametersFile: '$(parametersFile)'
              overrideParameters: >
                -uamiResourceId "$(uamiResourceId)"
                -azureRegion "$(azureRegion)"
                -containerAppName "$(containerAppName)"
                -containerAppEnvironmentId "$(containerAppEnvironmentId)"
                -containerRegistryServer "$(containerRegistryServer)"
                -containerImageName "$(containerImageName)"
              deploymentMode: '$(deploymentMode)'
              deploymentName: 'DeployPipelineTemplate'
              azureResourceManagerConnection: '$(azureSubscriptionServiceConnection)'

And here are the resource definitions in the Bicep template:

resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2025-07-01' = {
  name: containerAppEnvironmentName
  location: azureRegion
  properties: {
    appLogsConfiguration: {
      destination: null
      logAnalyticsConfiguration: null
    }
    publicNetworkAccess: 'Disabled'
    workloadProfiles: [
      {
        name: 'Consumption'
        workloadProfileType: 'Consumption'
      }
    ]
  }
}


resource containerApp 'Microsoft.App/containerApps@2025-07-01' = {
  name: containerAppName
  kind: 'containerapps'
  location: azureRegion
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${uamiResourceId}': {}
    }
  }
  properties: {
    environmentId: containerAppEnvironmentId
    configuration: {
      registries: [
        {
          server: containerRegistryServer
          identity: uamiResourceId
        }
      ]
    }
    template: {
      containers: [
        {
          name: containerAppName
          image: containerImageName
          command: []
          args: []
          resources: containerComputeResources
        }
      ]
      scale: {
        minReplicas: 1
        maxReplicas: 1
      }
    }
    workloadProfileName: 'Consumption'
  }
  dependsOn: [
    containerAppEnvironment
  ]
}

Is this expected behavior? May I add, this was not a one-time thing for me. I recreated the "issue" repeatedly.

Answer 1

Hello Julie Jensen,

Welcome to Microsoft Q&A, Even though you're using Validation deployment mode, resources might still get created because the AzureResourceManagerTemplateDeployment@3 triggers a deployment rg operation not just a dry-run validation. In Azure Pipelines, this task doesn't strictly isolate validation from execution unless explicitly scoped. The Validation mode checks the template's syntax and resource availability, but if the resource group doesn't exist, it will be created.

However, actual resources (like your Container App and Environment) should not be created unless the deployment action is misconfigured or the pipeline overrides the mode internally.

To avoid unintended resource creation you can use What-If analysis via Azure CLI or PowerShell for safer template previews as instance:

trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: '<your-service-connection>'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group what-if \
        --resource-group <your-resource-group> \
        --template-file <your-template-file>.json \
        --parameters <your-parameters-file>.json
    displayName: 'ARM Template What-If Validation'

Reference:

• https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-resource-manager-template-deployment-v3?view=azure-pipelines
• https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-what-if

If this resolves your question, please accept the answer.

Luis

Answer 2

Hi @Julie Jensen , following up to see if you had a chance to check Luis's response and if it was helpful. If you're still facing the issue, please try below and share your findings.

1. Verify & hardcode Validation in the task (no variable). Check the task logs for the literal value that Azure sees. If a variable expanded to Incremental, that explains the create. (If you find mismatch, fix variables.)
2. Use az deployment group validate (AzureCLI task) or REST validate instead of the AzureResourceManagerTemplateDeployment task for the validation step. This avoids task-specific parsing/behavior bugs and uses ARM's documented validate operation. Example AzureCLI pipeline step:
3. Use what-if to preview changes instead of validate. what-if is expressly designed to show what would change and does not make changes — and it can be safer for providers that have validation quirks. (Note: what-if is different from validate and returns predicted changes rather than strict schema-only validation.