Azure deny policy not working correctly

Question

Hi,

Currently I am trying to create various policies.

One of those is to allow the creation of a storageAccount but disallow the creation of Queues. The policy is deployed through the use of a Bicep template:

resource policyBlockResourceTypes 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
  name: policyConfigurations.policyBlockResourceTypes.name
  properties: {
    displayName: '[${policyConfigurations.policyBlockResourceTypes.name}] BlockResourceTypesqueues'
    policyType: 'Custom'
    mode: 'All'
    description: 'Policy to whitelist resource types'
    metadata: policyConfigurations.policyBlockResourceTypes.metadata
    policyRule: {
      if: {
        anyOf: [
          {
            field: 'type'
            like: 'Microsoft.Storage/storageAccounts/queueServices/queues'
          }
        ]
      }
      then: {
        effect: 'deny'
      }
    }
  }
}

The policy has been applied at both the Subscription and Resource Group level but unfortunately I am still able to create queues.

The policy definition:

{
  "properties": {
    "displayName": "[pol-sandbox-res-003] BlockResourceTypesqueues",
    "policyType": "Custom",
    "mode": "All",
    "description": "Policy to whitelist resource types",
    "metadata": {
      "version": "0.1.0",
      "category": "category",
      "source": "source",
      "createdBy": "a1a2eac0-6a29-470b-8101-3106532c28fd",
      "createdOn": "2023-03-31T07:27:30.5601202Z",
      "updatedBy": "a1a2eac0-6a29-470b-8101-3106532c28fd",
      "updatedOn": "2023-04-03T10:17:16.1670547Z"
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "type",
            "like": "Microsoft.Storage/storageAccounts/queueServices/queues"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/providers/Microsoft.Authorization/policyDefinitions/pol-sandbox-res-003",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "pol-sandbox-res-003",
  "systemData": {
    "createdBy": "ferdi.stoeltie@lagersmit.com",
    "createdByType": "User",
    "createdAt": "2023-03-31T07:27:30.5132596Z",
    "lastModifiedBy": "ferdi.stoeltie@lagersmit.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2023-04-03T10:17:16.1376884Z"
  }
}

While creating new StorageAccounts and new Queues the activity log of the policy assignment shows the following:

User's image

And the JSON that is attached to it:

{
    "authorization": {
        "action": "Microsoft.Storage/storageAccounts/queueServices/queues/write",
        "scope": "/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/resourceGroups/Dev-Portal-01_group/providers/Microsoft.Storage/storageAccounts/testdeleter/queueServices/default/queues/failplease"
    },
    "caller": "ferdi.stoeltie@lagersmit.com",
    "channels": "Operation",
    "claims": {
        "aud": "https://management.core.windows.net/",
        "iss": "https://sts.windows.net/f91416ec-377f-48d6-bd99-f28817bce3dc/",
        "iat": "1680523633",
        "nbf": "1680523633",
        "exp": "1680528537",
        "http://schemas.microsoft.com/claims/authnclassreference": "1",
        "aio": "AVQAq/8TAAAAKV/OnG0x/cI4SVvWK6c2etStWaTdDJkSRzLJ07qCPrAiPYUvB7JFZnTT+nruFThiATyJMZsJOrsJx4q8mPqYbjJb5aZTjt7SAUN0zeneBWE=",
        "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa",
        "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c",
        "appidacr": "2",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Stoeltie",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Ferdi",
        "groups": "985d2338-c8bc-4c55-93cb-f90b1e34b3ed,ac67795f-6bad-4ecb-b8d7-be911d31e7e4,12bafa71-dc5e-4258-bb05-bbc996223da3,3738e0d1-d621-4570-9c38-76463baf5a3f,d8ca68fa-e9bb-45ff-8971-1825ed77b4f5,2ba38dfd-a2d9-4d1c-8e83-a76a69b1ebd3",
        "ipaddr": "144.178.95.58",
        "name": "Ferdi Stoeltie",
        "http://schemas.microsoft.com/identity/claims/objectidentifier": "a1a2eac0-6a29-470b-8101-3106532c28fd",
        "onprem_sid": "S-1-5-21-1977833990-800392848-2552735390-2570",
        "puid": "10032000614610D9",
        "rh": "0.AUgA7BYU-X831ki9mfKIF7zj3EZIf3kAutdPukPawfj2MBNIAPo.",
        "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "klzQAajHXWfEVC20moxob409cbOdu3qzlg5_UO7GdDM",
        "http://schemas.microsoft.com/identity/claims/tenantid": "f91416ec-377f-48d6-bd99-f28817bce3dc",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "ferdi.stoeltie@lagersmit.com",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "ferdi.stoeltie@lagersmit.com",
        "uti": "8Fwx9r9rG02NrX5h1fwcAA",
        "ver": "1.0",
        "xms_tcdt": "1412679501"
    },
    "correlationId": "da5c76a2-305b-47ff-852d-555cc1fe1e8f",
    "description": "",
    "eventDataId": "ba2b009a-b63c-4b40-bcd7-3a670ed11df1",
    "eventName": {
        "value": "EndRequest",
        "localizedValue": "End request"
    },
    "category": {
        "value": "Policy",
        "localizedValue": "Policy"
    },
    "eventTimestamp": "2023-04-03T12:15:22.6941244Z",
    "id": "/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/resourceGroups/Dev-Portal-01_group/providers/Microsoft.Storage/storageAccounts/testdeleter/queueServices/default/queues/failplease/events/ba2b009a-b63c-4b40-bcd7-3a670ed11df1/ticks/638161209226941244",
    "level": "Error",
    "operationId": "da5c76a2-305b-47ff-852d-555cc1fe1e8f",
    "operationName": {
        "value": "Microsoft.Authorization/policies/deny/action",
        "localizedValue": "'deny' Policy action."
    },
    "resourceGroupName": "Dev-Portal-01_group",
    "resourceProviderName": {
        "value": "Microsoft.Storage",
        "localizedValue": "Microsoft.Storage"
    },
    "resourceType": {
        "value": "Microsoft.Storage/storageAccounts/queueServices/queues",
        "localizedValue": "Microsoft.Storage/storageAccounts/queueServices/queues"
    },
    "resourceId": "/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/resourceGroups/Dev-Portal-01_group/providers/Microsoft.Storage/storageAccounts/testdeleter/queueServices/default/queues/failplease",
    "status": {
        "value": "Failed",
        "localizedValue": "Failed"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2023-04-03T12:18:27Z",
    "subscriptionId": "2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d",
    "tenantId": "f91416ec-377f-48d6-bd99-f28817bce3dc",
    "properties": {
        "isComplianceCheck": "False",
        "resourceLocation": null,
        "ancestors": "management-group-root,f91416ec-377f-48d6-bd99-f28817bce3dc",
        "policies": "[{\"policyDefinitionId\":\"/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/providers/Microsoft.Authorization/policyDefinitions/pol-sandbox-res-003\",\"policyDefinitionName\":\"pol-sandbox-res-003\",\"policyDefinitionDisplayName\":\"[pol-sandbox-res-003] BlockResourceTypesqueues\",\"policyDefinitionVersion\":\"0.1.0\",\"policyDefinitionEffect\":\"deny\",\"policyAssignmentId\":\"/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/providers/Microsoft.Authorization/policyAssignments/7530423b51484d90b6d748bf\",\"policyAssignmentName\":\"7530423b51484d90b6d748bf\",\"policyAssignmentDisplayName\":\"[pol-sandbox-res-003] BlockResourceTypesqueues\",\"policyAssignmentScope\":\"/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d\",\"policyAssignmentParameters\":{},\"policyAssignmentEnforcementMode\":\"Default\",\"policyExemptionIds\":[]},{\"policyDefinitionId\":\"/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/providers/Microsoft.Authorization/policyDefinitions/pol-sandbox-res-003\",\"policyDefinitionName\":\"pol-sandbox-res-003\",\"policyDefinitionDisplayName\":\"[pol-sandbox-res-003] BlockResourceTypesqueues\",\"policyDefinitionVersion\":\"0.1.0\",\"policyDefinitionEffect\":\"deny\",\"policyAssignmentId\":\"/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/resourceGroups/Dev-Portal-01_group/providers/Microsoft.Authorization/policyAssignments/b003d53de1fb4f3ca83913f8\",\"policyAssignmentName\":\"b003d53de1fb4f3ca83913f8\",\"policyAssignmentDisplayName\":\"[pol-sandbox-res-003] BlockResourceTypesqueues\",\"policyAssignmentScope\":\"/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/resourceGroups/Dev-Portal-01_group\",\"policyAssignmentParameters\":{},\"policyAssignmentEnforcementMode\":\"Default\",\"policyExemptionIds\":[]}]",
        "eventCategory": "Policy",
        "entity": "/subscriptions/2dda353d-ea8e-4c76-9e7d-0cbec6f34e5d/resourceGroups/Dev-Portal-01_group/providers/Microsoft.Storage/storageAccounts/testdeleter/queueServices/default/queues/failplease",
        "message": "Microsoft.Authorization/policies/deny/action",
        "hierarchy": ""
    },
    "relatedEvents": []
}

Does anyone know if there is a limitation in Azure policies regarding the above? Or a better method to implement such as a limit?

Kind regards

Answer

Hi Ferdi,

This is an expected behaviour as the request payload to create queue services do not follow the standard pattern and passes Azure Resource Manager causing policy to skip.

Policy Known Issues : https://github.com/Azure/azure-policy?tab=readme-ov-file#resource-management-that-bypasses-azure-resource-manager

You can apply Audit or AINE effect instead as a workaround.

Share via

Azure deny policy not working correctly

1 answer

Your answer