question

artisticcheese avatar image
0 Votes"
artisticcheese asked DCtheGeek answered

What is the point of having double negatives in Azure policy?

I'm trying to make sense of Microsoft built-in policy for security center which verifies custom subscription owner role and it has following as part of condition.
What is the point of having code below? Why not just use single In condition instead of "not": "notIn"

         {
           "not": {
             "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
             "notIn": [
               "[concat(subscription().id,'/')]",
               "[subscription().id]",
               "/"
             ]
           }
         }
azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DCtheGeek avatar image
0 Votes"
DCtheGeek answered

The complexity around this is the [*] alias, which indicates an array of elements. A simple in comparison requires that all array elements validate true. A not and notIn combination (double negative) can be used for evaluating one or more matches (as opposed to all or none). There's a table in the docs that shows the different combinations of conditions and the scenario's they work with: https://docs.microsoft.com/azure/governance/policy/how-to/author-policies-for-arrays#evaluating-the--alias

Going forward, I would recommend using the count expression for your [*] alias use instead. count gives improved control over the none/some/all scenarios and makes other scenarios possible as well. Additionally, it can evaluate a set of properties on a single alias with different conditions. For more information and examples of count, see: https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure#count

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.