Help with creating Azure policy to deny storage account creation if no private link is configured

Question

Help with creating Azure policy to deny storage account creation if no private link is configured

Guo, Jianning 40

I have trying to create an Azure enforcement policy which will deny storage account to be created if a private endpoint is not configured for the account. I have the following policy rule:

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/privateEndpointConnections",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    },

Note: the effect is set to "deny".

However, when I configured the private endpoint during the storage account creation, the policy prevents the account creation.

I have also tried the following condition instead of using "exists", the policy still denies the creation of the storage account.

{

"field": "Microsoft.Storage/storageAccounts/privateEndpointConnections",

"equals": ""

}

Any idea how should I modify my policy?

Thanks

Accepted answer

1 additional answer

Your answer

Answer 1

@Guo, Jianning

Please use this policy definition, this should work.

{
  "properties": {
    "displayName": "Deny Storage Accounts without private access",
    "policyType": "Custom",
    "mode": "All",
    "description": "Deny creation of storage accounts if public network access is not disabled (i.e., only private endpoint access is allowed).",
    "metadata": {
      "version": "1.0.0",
      "category": "Storage"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/publicNetworkAccess",
            "notequals": "Disabled"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Artifact:

User's image

Hope this helps!

let us know if any help, we will always help as you needed.!

User's image

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Answer 2

Guo, Jianning 40

I do have disable publicnetworkaccess policy in place. I was trying to see if I could also make sure private endpoint is configured during storage account creation.

Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator

2025-06-16T15:53:31.0333333+00:00

Hi @Guo, Jianning

Thanks for letting me know

Azure Policy does not currently support enforcing or validating the existence of a Private Endpoint at the time of Storage Account creation due to resource deployments and dependencies work. The private endpoint targets that exact storage account which is not yet created in this scenario.

Azure policy1: Deny if Public Access is Enabled

This ensures the storage account must use Private Endpoints for access.

Azure Policy2: Audit if Private Endpoint is Missing

You can create an Azure Policy that audits storage accounts that don't have any private endpoint connections. While it won't prevent creation, it can be used for post-deployment compliance enforcement.

for reference:
Hope this helps!

let us know if any help, we will always help as you needed.!

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Guo, Jianning 40 Reputation points

2025-06-16T16:54:29.49+00:00

Thank you.

Share via

Help with creating Azure policy to deny storage account creation if no private link is configured

1 additional answer

Your answer