![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 25%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,024 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
The behavior you're experiencing is expected when using a deny effect in Azure Policy. When a deny effect is applied to a policy, it not only blocks the creation of new non-compliant resources but also prevents modifications to existing resources that would make them non-compliant.
If you want to allow setting changes on existing non-compliant resources while still enforcing compliance for new resource creations, you have a few options:
Modify the policy definition: Review the policy definition that is causing the deny effect and adjust it accordingly. You may need to modify the condition or the effect to achieve the desired behavior. Keep in mind that modifying the policy may impact other resources, so ensure you thoroughly test the changes before applying them.
Use an audit effect instead: Instead of using the deny effect, consider using the audit effect for your policy. The audit effect reports non-compliant resources without blocking their creation or modification. This allows you to monitor compliance without preventing changes to existing resources.
Implement remediation tasks: Instead of relying solely on policy enforcement, you can use Azure Policy's remediation tasks to automatically correct non-compliant resources. This way, if a setting change on an existing non-compliant resource is required, the remediation task can make the necessary modifications to bring it into compliance.
It's important to carefully consider the impact of your policy decisions and strike a balance between enforcing compliance and allowing necessary changes to existing resources.