What takes precedence - Azure Policy or Locks

Question

What takes precedence - Azure Policy or Locks

Shridhar Srinivasan 220

I have a Resource Group named RG1. I have a Read-only Lock applied to RG1.

I have a Policy assigned to RG1 which has "allowed resource types" for "Virtual Machines".

Can I create a VM in RG1 ?

2 answers

Your answer

Answer 1

Andrew Blumhardt 10,051 Microsoft Employee

I assume the lock wins but I recommend devising a test to verify if needed.

Shridhar Srinivasan 220 Reputation points

2023-07-20T11:46:11.32+00:00

Thanks Andrew. Can I request you or someone to test this and update here please ?

I have exhausted my Trial Subscription.

Answer 2

kobulloc-MSFT 26,811 Microsoft Employee Moderator

Hello, @Shridhar Srinivasan !

Can I deploy VMs into a resource group with a read only lock if there is a policy that has allowed resource types of virtual machines?

The short answer is "no", but this is because there isn't a policy that explicitly allows resource creation. Rather, allowed resource types works by denying resource types that are not explicitly listed as allowed resource types:

User's image

When we look at the policy in more detail, we can see an if/then statement that matches the description of the policy:

Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.

User's image

When testing this, we see that VM creation is not allowed in a read only resource group:

User's image

I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

User's image

Shridhar Srinivasan 220 Reputation points

2023-07-26T09:45:48.6166667+00:00

Thanks for the detailed explanation and snap of message on selecting such a RG.
kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-07-26T16:33:01.1633333+00:00

Happy to help, @Srinivasan, Shridhar (Shridhar) !
Shridhar Srinivasan 220 Reputation points

2023-07-27T05:12:16.5766667+00:00

Thanks @kobulloc-MSFT

Please point me to the help link where this is outlined for me to go through the details.
kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-07-27T05:24:49.92+00:00
Sure thing! Is this what you are looking for?

Policy definition (Allowed Resource Type)

Lock your resources to protect your infrastructure (ReadOnly)

Shridhar Srinivasan 220

Sorry @kobulloc-MSFT I was expecting the pages to elaborate \ explain what blocks the creation of the VM - Lock or the Policy.

Adding some more clarity:

"allowed resource types". I do not mean here the in-built policy. It was more like

{
  "properties": {
    "displayName": "VirtualMachineCreationAndAssignment",
    "description": "Allows users to create virtual machines (VMs) and assigns them to a specified Resource Group.",
    "mode": "Indexed",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/imagePublisher",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/imageOffer",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/imageSKU",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "allow"
      }
    },
    "metadata": {
      "category": "Virtual Machines"
    }
  }
}

kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-08-03T06:14:34.73+00:00

Thank you, @Srinivasan, Shridhar (Shridhar) ! I'm working on a repro based on the JSON you provided and should be able to share the results within the next day or so.
Shridhar Srinivasan 220 Reputation points

2023-08-03T06:27:02.9133333+00:00

Thanks @kobulloc-MSFT

The JSON I provided is just a sample extract I created based on theory knowledge I gathered. I don't know how exhaustive \ sufficient it is to help me create a VM.

My trial subscription is exhausted and I could not trial anything. Your trial would help a lot.
kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-08-04T05:51:47.5733333+00:00
Hello, @Srinivasan, Shridhar (Shridhar) !

Allow is not a supported effect, so I am unable to use the JSON provided:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects

These effects are currently supported in a policy definition:

Append

Audit

AuditIfNotExists

Deny

DenyAction (preview)

DeployIfNotExists

Disabled

Manual

Modify

If you are able to find an example policy that explicitly allows for resource creation, I'd be happy to try this again but I looked for any tangent custom policies and was unable to find anything.
Shridhar Srinivasan 220 Reputation points

2023-08-06T07:14:25.43+00:00

Understand. You can use the DeployIfNotExists effect. Please feel free to enhance the Policy to allow the creation of a VM.
Shridhar Srinivasan 220 Reputation points

2023-08-07T06:39:15.7266667+00:00

Hi @kobulloc-MSFT

Did you get a chance to check my latest comment and try this out ?
kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-08-07T06:43:48.1066667+00:00

Hello, @Srinivasan, Shridhar (Shridhar) ! I should get a chance to repro this soon.
kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator

2023-08-09T01:24:53.1633333+00:00

Hello, @Srinivasan, Shridhar (Shridhar) ! I'm not seeing any templates readily available that would accomplish what you are looking to test. If there is a complete policy that you would like me to test, I'd be happy to run that.

Share via

What takes precedence - Azure Policy or Locks

2 answers

Your answer