This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Below is my code for Deny:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
},
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "AKS-Enabled"
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
},
"defaultValue": "true"
}
}
}
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
Hello Kalra, sakshi
Any update on the issue?
Just checking in to see if you got a chance to see previous response.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
Thank you for checking in but so far none of the responses are in alignment with my need to allow only some subscriptions which have a specific tag to create AKS clusters.
This creates a policy but doesn't do the needful
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
So you are unblocked on the first step ! original query is resolved !
Can you expand a little bit what is the needful you need here next...
Kindly explain in detail with screen shots so that we can assist you better.
Please post the complete policy and after creating the policy , while creating the AKS cluster - where exactly you are blocked !
Hello Kalra, sakshi
Any update on the issue?
Just checking in to see if you got a chance to see previous response.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 8%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello @Kalra, sakshi
can you try an example of a custom policy definition in JSON format that blocks AKS Clusters creation if the subscription is not compliant with your organization's policies:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
{
"not": {
"field": "Microsoft.ContainerService/managedClusters/subscriptionId",
"in": "[parameters('allowedSubscriptionIds')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
{
"not": {
"field": "Microsoft.ContainerService/managedClusters/subscriptionId",
"in": "[parameters('allowedSubscriptionIds')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
This policy definition checks if the subscription ID of the AKS cluster is in the allowedSubscriptionIds parameter. If it is not, the policy denies the creation of the AKS cluster.
Please note that this is just an example, and you should customize the policy definition to fit your organization's policies.
https://learn.microsoft.com/en-us/azure/aks/use-azure-policy
If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
I get the following error:
The policy definition '40a8b97c-a61c-439f-88bd-54337dd4b81d' rule is invalid. The 'field' property 'Microsoft.ContainerService/managedClusters/subscriptionId' of the policy rule doesn't exist as an alias under provider 'Microsoft.ContainerService' and resource type 'managedClusters'.
Please remove the below section and try creating it - it should go through!
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
I just tried your same policy file , it was failing with below error:
Once I removed the section , it got created successfully:
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
Thank you for the answer, yes, I understand that removing this code will enforce tags on AKS Cluster creation and policy gets created but my requirement is that only certain subscriptions allow creation of AKS Clusters and not all.