Share via

Azure Policy Compliance not Evaluating Correctly - DINE Key Vault Access Policy

Jared 0 Reputation points
2025-03-18T21:31:58.74+00:00

I have an Azure Policy using DeployIfNotExists meant to add a key vault access policy to all non-RBAC KVs; however, the compliance of the policy is always evaluating to false even though the criteria of the existence condition are met. Policy functions as desired adding access policies if needed.

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.KeyVault/vaults"
            },
            {
                "field": "Microsoft.KeyVault/vaults/enableRbacAuthorization",
                "equals": "false"
            }
        ]
    },
    "then": {
        "effect": "[parameters('effect')]",
        "details": {
            "type": "Microsoft.KeyVault/vaults",
            "name": "[field('name')]",
            "existenceCondition": {
                "count": {
                    "field": "Microsoft.Keyvault/vaults/accessPolicies[*]",
                    "where": {
                        "allOf": [
                            {
                                "field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId",
                                "equals": "[parameters('aadObjectId')]"
                            },
                            {
                                "field": "Microsoft.Keyvault/vaults/accessPolicies[*].permissions.keys",
                                "contains": "list"
                            },
                            {
                                "field": "Microsoft.Keyvault/vaults/accessPolicies[*].permissions.secrets",
                                "contains": "list"
                            },
                            {
                                "field": "Microsoft.Keyvault/vaults/accessPolicies[*].permissions.certificates",
                                "contains": "list"
                            },
                            {
                                "field": "Microsoft.Keyvault/vaults/accessPolicies[*].permissions.certificates",
                                "contains": "listissuers"
                            }
                        ]
                    }
                },
                "greater": 0
            },
            "roleDefinitionIds": [
                "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395"
            ],
            "evaluationDelay": "AfterProvisioning",
            "deployment": {
                "properties": {
                    "mode": "incremental",
                    "template": {
                        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                            "vaultName": {
                                "type": "string"
                            },
                            "principalObjectId": {
                                "type": "string"
                            }
                        },
                        "resources": [
                            {
                                "type": "Microsoft.KeyVault/vaults/accessPolicies",
                                "name": "[concat(parameters('vaultName'), '/add')]",
                                "apiVersion": "2019-09-01",
                                "properties": {
                                    "accessPolicies": [
                                        {
                                            "tenantId": "[subscription().tenantId]",
                                            "objectId": "[parameters('principalObjectId')]",
                                            "permissions": {
                                                "keys": [
                                                    "list"
                                                ],
                                                "secrets": [
                                                    "list"
                                                ],
                                                "certificates": [
                                                    "list",
                                                    "listissuers"
                                                ]
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "parameters": {
                        "vaultName": {
                            "value": "[field('name')]"
                        },
                        "principalObjectId": {
                            "value": "[parameters('aadObjectId')]"
                        }
                    }
                }
            }
        }
    }
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
989 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Srinivasa Reddy Jaggavarapu 455 Reputation points Microsoft External Staff
    2025-03-21T23:43:01.7766667+00:00

    Hi Jared,

    Your Azure Policy using 'DeployIfNotExists' is not evaluating compliance correctly despite meeting the existence condition criteria. This could be due to several factors:

    Make sure that the existence condition is correctly evaluating the access policies. The condition checks if the count of access policies matching the specified criteria is greater than 0. If there are any discrepancies in the objectId or permissions specified, it may not count as compliant.

    The 'evaluationDelay' is set to "AfterProvisioning." This means that the evaluation of the policy will occur after the provisioning of resources. If the resources are provisioned but not yet fully available or if the policy evaluation is triggered too soon, it may result in a false non-compliance.

    Verify that the role definition ID specified in the policy is correct and that the necessary permissions are granted to the identity executing the policy.

    Check that the policy is assigned at the correct scope (subscription or resource group) to evaluate the Key Vaults properly

    Review the logs for the Key Vault to see if there are any errors or warnings that might indicate why the compliance check is failing.

    If the policy definition has been updated recently, ensure that the changes are reflected in the assignment and that the policy has been re-evaluated. By checking these areas, you may be able to identify why the compliance is not evaluating as expected.

    Please kindly refer these documentation links:

    https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists

    https://learn.microsoft.com/en-us/azure/key-vault/general/azure-policy#types-of-policy-effects-and-guidance

    If you had a chance to see my comment to your question. If it was helpful, please click "Accept Answer" and "Yes" on my post let us know Thank you...!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.