Manage Azure private dns zone A entries TTL via Azure Policy

Question

Manage Azure private dns zone A entries TTL via Azure Policy

stephane clavel 66

Hi

Is it possible to manage Azure private dns zone A entries TTL via Azure Policy please?

The following if condition does not catch any A entry for which TTL is different to 600.

"policyRule":{

  "if":{

     "allOf":[

        {

           "field":"type",

           "equals":"Microsoft.Network/privateDnsZones/A"

        },

        {

           "field":"Microsoft.Network/privateDnsZones/A/Ttl",

           "notEquals":600

        }

     ]

  },

  "then":{

Thanks

Suchitra Suregaunkar 14,430 Reputation points Microsoft External Staff Moderator

2026-04-01T15:39:41.61+00:00
Hello stephane clavel

Thank you for posting your query on Microsoft Q&A platform.

Yes, Azure Policy can evaluate (audit/deny) the TTL of Azure Private DNS A record sets. However, your policy condition does not work because it uses an incorrect field path for TTL.

For Azure Private DNS A record sets, TTL is not a top‑level property. Microsoft defines TTL under:

properties.ttl

Resource type:

Microsoft.Network/privateDnsZones/A

Your condition uses: "Microsoft.Network/privateDnsZones/A/Ttl"

This field does not exist as a valid Azure Policy alias, so the policy never matches any resource.

Please use below provided policy condition where this condition correctly evaluates A record sets whose TTL is not 600 seconds.

"if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/privateDnsZones/A" }, { "field": "properties.ttl", "notEquals": 600 } ] }

TTL location in the Private DNS A record schema: TTL is defined inside properties.ttl for Microsoft.Network/privateDnsZones/A

Reference: https://learn.microsoft.com/en-us/azure/templates/microsoft.network/privatednszones/a?pivots=deployment-language-bicep

Microsoft-published alias list confirms that properties.ttl is the supported alias: Microsoft.Network/privateDnsZones/A/ttl → properties.ttl

Reference: https://policyalias.mats.codes/Microsoft.Network/privateDnsZones-A/

Please have a look into below important points:

TTL is applied at the record set level, not individual A records (this is by DNS and Azure design)

Azure Policy can audit or deny record sets based on TTL

Azure Policy cannot modify existing TTL values automatically unless a Modify effect with supported operations is explicitly configured

Reference: https://learn.microsoft.com/en-us/azure/dns/dns-private-records

I hope this clarifies why the policy condition was not matching and how to correctly evaluate TTL for Private DNS A record sets using Azure Policy. Please let us know if you have any further questions.

If you found the comment helpful, please consider clicking "Upvote it."

Thanks,

Suchitra.
stephane clavel 66 Reputation points

2026-04-02T14:36:33.92+00:00

Hi SushitraThanks for your answer.

I may have missed something but when I try this if statement I get the below error :

The policy definition '66b3e5e3c6424d96acbb8cd8' rule is invalid. The value of 'field' property 'properties.ttl' of the policy rule must be one of 'Name, Type, Location, Tags, Kind, FullName, identity.type, identity.userAssignedIdentities, id, extendedLocation, extendedLocation.type, extendedLocation.name' or an alias, e.g. "Microsoft.Compute/virtualMachines/imagePublisher".

Is this something working on your side?

Thanks
Suchitra Suregaunkar 14,430 Reputation points Microsoft External Staff Moderator

2026-04-02T20:48:24.7766667+00:00

Hello stephane clavel

Thanks for responding back. I am looking into it and will keep you posted update.
Suchitra Suregaunkar 14,430 Reputation points Microsoft External Staff Moderator

2026-04-03T18:55:08.61+00:00

Hello stephane clavel

Could you please let us know if the information shared by @Bharath Y P is helpful?

If you found the comment helpful, please consider clicking "Upvote it".

If you need any further assistance, please feel free to reach out.

Thanks,

Suchitra.
Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-04-06T04:02:58.33+00:00

Just wanted to kindly follow up and check whether the solution provided was helpful or not. If so, we would appreciate it if you could accept the answer and up‑vote it, as this will help other community members who may encounter the same issue in the future.

Thank you.

Answer accepted by question author

Bharath Y P 9,645 Microsoft External Staff Moderator

Azure Policy cannot directly read arbitrary ARM resource properties. It can only evaluate properties that have a published policy alias. Microsoft documentation states that property aliases are required to reference specific resource properties in a policy rule. If an alias does not exist for a property, Azure Policy cannot access that property at all, even though it exists in the ARM schema. Details of the policy definition structure aliases - Azure Policy | Microsoft Learn

For Azure Private DNS A record sets, the TTL is stored in the ARM schema at properties.ttl

Resource type:

Microsoft.Network/privateDnsZones/A

Microsoft.Network/privateDnsZones/A - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn

To use a property in Azure Policy, a policy alias must exist. Aliases can be discovered using:

Azure Policy VS Code extension
Get-AzPolicyAlias PowerShell command
Azure provider alias APIs

When checking the aliases for:

Microsoft.Network/privateDnsZones/A

you will find that no alias exists for properties.ttl.

Example command:

Get-AzPolicyAlias -NamespaceMatch Microsoft.Network

When you attempt to reference:

"field": "properties.ttl"

Azure Policy returns the validation error:

The value of 'field' property properties.ttl must be one of 'Name, Type, Location…' or an alias

This occurs because:

properties.ttl is not a supported alias
Azure Policy only allows built-in fields or registered aliases

Therefore the policy definition fails before it can be created.

Troubleshoot common errors - Azure Policy | Microsoft Learn

Azure Policy can evaluate the resource type, because type is a built-in field.

Example:

{   
   "field": "type",
   "equals": "Microsoft.Network/privateDnsZones/A" 
}

However, it cannot evaluate the TTL value itself.

At this time, Azure Policy cannot audit, deny, or enforce TTL values for Azure Private DNS A record sets, because:

TTL exists at properties.ttl
No Azure Policy alias exists for this property
Azure Policy cannot evaluate non-aliased properties

Therefore, TTL governance through Azure Policy is not currently supported.

0 comments

1 additional answer

Your answer

stephane clavel 66 Reputation points

2026-04-02T14:36:33.92+00:00

Hi SushitraThanks for your answer.

I may have missed something but when I try this if statement I get the below error :

The policy definition '66b3e5e3c6424d96acbb8cd8' rule is invalid. The value of 'field' property 'properties.ttl' of the policy rule must be one of 'Name, Type, Location, Tags, Kind, FullName, identity.type, identity.userAssignedIdentities, id, extendedLocation, extendedLocation.type, extendedLocation.name' or an alias, e.g. "Microsoft.Compute/virtualMachines/imagePublisher".

Is this something working on your side?

Thanks
Suchitra Suregaunkar 14,430 Reputation points Microsoft External Staff Moderator

2026-04-02T20:48:24.7766667+00:00

Hello stephane clavel

Thanks for responding back. I am looking into it and will keep you posted update.
Suchitra Suregaunkar 14,430 Reputation points Microsoft External Staff Moderator

2026-04-03T18:55:08.61+00:00

Hello stephane clavel

Could you please let us know if the information shared by @Bharath Y P is helpful?

If you found the comment helpful, please consider clicking "Upvote it".

If you need any further assistance, please feel free to reach out.

Thanks,

Suchitra.
Bharath Y P 9,645 Reputation points Microsoft External Staff Moderator

2026-04-06T04:02:58.33+00:00

Just wanted to kindly follow up and check whether the solution provided was helpful or not. If so, we would appreciate it if you could accept the answer and up‑vote it, as this will help other community members who may encounter the same issue in the future.

Thank you.

Answer 1

Azure Policy can evaluate and enforce properties that are exposed on the resource type. For Microsoft.Network/privateDnsZones/A, the TTL is not a top-level field; it is part of the properties object.

According to the resource schema, the TTL is defined as:

properties.ttl (an int in RecordSetProperties)

and the resource type is:

type: Microsoft.Network/privateDnsZones/A

So the policy condition must target the properties.ttl path, not Microsoft.Network/privateDnsZones/A/Ttl.

A working if block would look like this (conceptually):

"if": {
  "allOf": [
    {
      "field": "type",
      "equals": "Microsoft.Network/privateDnsZones/A"
    },
    {
      "field": "Microsoft.Network/privateDnsZones/A/properties.ttl",
      "notEquals": 600
    }
  ]
}

or, using the generic field path:

{
  "field": "properties.ttl",
  "notEquals": 600
}

Using the correct property path allows Azure Policy to match A record sets whose TTL differs from 600 and then audit or deny them as required.

References:

Share via

Manage Azure private dns zone A entries TTL via Azure Policy

1 additional answer

Your answer