If I have default value defined at policy level for "effect" parameter, can I overwrite the value at initiative level?

Question

I have 'effect' value set as 'deny' at initiative level, which should overwrite policy level default value 'audit'. But it does not. The "effect" is a parameter in the policy. Any suggestion what could be the issue?

Answer 1

@Guo, Jianning

Even though you’re setting "effect": "deny" in the initiative definition, if the policy definition itself doesn't allow the effect parameter to be overridden, your initiative-level value will be ignored, and the default (audit) will apply.

 The policy doesn’t define effect as a parameter Check your policy definition (.json). You must explicitly declare "effect" as a parameter:

"parameters": {
  "effect": {
    "type": "string",
    "allowedValues": [
      "Audit",
      "Deny",
      "Disabled"
    ],
    "defaultValue": "Audit",
    "metadata": {
      "description": "Effect of the policy"
    }
  }
}

If it’s not a parameter, the initiative can’t override it.

The initiative isn’t correctly assigning the parameter Ensure your initiative definition includes the parameters block and correctly assigns the new value to the policy reference:

"policyDefinitions": [
  {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/xxxx",
    "parameters": {
      "effect": {
        "value": "Deny"
      }
    }
  }
]

Example:

 Policy Definition with parameter block

Initiative Definition with default value: Deny

Test Results:

When Effect is Deny

Hope this helps!

let us know if any help, we will always help as you needed.!

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.