question

erwinstaal avatar image
0 Votes"
erwinstaal asked SwathiDhanwada-MSFT commented

Not getting the excludedActions on an Azure Bluerprint to work

Hi all,

I'm deploying a Blueprint that contains a Recovery Services Vault. That Blueprint gets the read only lock. Now I want others, who are contributor on the particular resource group, to be able to still add a machine to that Recovery Services Vault. I therefore added the following action to the list of excludedActions on the blueprint: 'Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write' like so:

     "locks": { 
       "mode": "AllResourcesReadOnly", 
       "excludedActions": [ 
         "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write" 
       ] 
     } 

I however still get the error message saying that the deny assignment is blocking me from doing that. Nor do I see the above action in the deny assignment on the resource group as an exclusion.

Redacted error:

The client ‘<me>’ with object id '' has permission to perform action 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/write' on scope '/subscriptions/<sub>/resourcegroups/<group>/providers/Microsoft.RecoveryServices/vaults/<VaultName>/backupFabrics/Azure/protectionContainers/<item>/protectedItems/<item>’; however, the access is denied because of the deny assignment with name 'Deny assignment ‘<assignmentId>’ created by Blueprint Assignment '/providers/Microsoft.Management/managementGroups/<group>/providers/Microsoft.Blueprint/blueprintAssignments/<sub>-LockedBlueprintAssignment'.' and Id ‘<assignmentId>’ at scope '/subscriptions/<subId>/resourceGroups/<group>/providers/Microsoft.RecoveryServices/vaults/<vaultName>’.

azure-policyazure-blueprints
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@erwinstaal Welcome to Microsoft Q & A Community Forum. Are you still being prompted with the issue ? Also, can you please let me know if you have waited for 30 min to test if the lock is working or not ? Sometimes, due to cache you may have been prompted with an error. Kindly check and revert if you have further questions.

0 Votes 0 ·

@erwinstaal Did you get chance to check my previous comment ? Kindly revert if you are still facing the issue.

0 Votes 0 ·

0 Answers