Azure Deny Policy not allowing any setting changes on existing non-compliant resources

Balaji Shinde 20 Reputation points

DenyPolicy.txtHi All,

We are trying to put few deny policies so that the new resource creation is not allowed when it is non-compliant as per policy rule. This works fine. But the deny policy also denies any setting changes on existing non-compliant resources.


is one example where I am trying to change a setting on existing sql server which is non-compliant, the policy doesn't allow to do so.

We want the deny effect to work only during the new resource creation and not for existing resources. Is there a way to achieve this.



Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
830 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VasimTamboli 4,785 Reputation points

    The behavior you're experiencing is expected when using a deny effect in Azure Policy. When a deny effect is applied to a policy, it not only blocks the creation of new non-compliant resources but also prevents modifications to existing resources that would make them non-compliant.

    If you want to allow setting changes on existing non-compliant resources while still enforcing compliance for new resource creations, you have a few options:

    Modify the policy definition: Review the policy definition that is causing the deny effect and adjust it accordingly. You may need to modify the condition or the effect to achieve the desired behavior. Keep in mind that modifying the policy may impact other resources, so ensure you thoroughly test the changes before applying them.

    Use an audit effect instead: Instead of using the deny effect, consider using the audit effect for your policy. The audit effect reports non-compliant resources without blocking their creation or modification. This allows you to monitor compliance without preventing changes to existing resources.

    Implement remediation tasks: Instead of relying solely on policy enforcement, you can use Azure Policy's remediation tasks to automatically correct non-compliant resources. This way, if a setting change on an existing non-compliant resource is required, the remediation task can make the necessary modifications to bring it into compliance.

    It's important to carefully consider the impact of your policy decisions and strike a balance between enforcing compliance and allowing necessary changes to existing resources.

    0 comments No comments