Request Disallowed By Policy

Aayush Shah 1 Reputation point
2021-09-11T05:24:23.553+00:00

0

I am following the steps mentioned in this exercise on Microsoft Azure, given the exercise link below:

Azure Developer League: Secure Azure Kubernetes Cluster

I am stuck at the below code.

When I run this code in the azure cloud shell(sandbox), as mentioned in the steps given in that course:

export DATABASE_NAME=contoso-ship-manager-$RANDOM && \  
az cosmosdb create \  
 -n $DATABASE_NAME \  
 -g $RESOURCE_GROUP \  
 --kind MongoDB \  
 --enable-free-tier  

Or this code:

export DATABASE_NAME=contoso-ship-manager-$RANDOM && az cosmosdb create --name $DATABASE_NAME --resource-group $RESOURCE_GROUP --subscription "Concierge Subscription"  

Whenever I run anyone of the above codes, I get this error:

(RequestDisallowedByPolicy) Resource 'contoso-ship-manager-17984' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"containers-assignment","id":"/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment"},"policyDefinition":{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"},"policySetDefinition":{"name":"containers-initiative","id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative"}}]'. Additional Information:Type: PolicyViolation Info: { "policyDefinitionDisplayName": "Allowed resource types", "policySetDefinitionDisplayName": "containers-initiative", "evaluationDetails": { "evaluatedExpressions": [ { "result": "False", "expressionKind": "Field", "expression": "type", "path": "type", "expressionValue": "Microsoft.DocumentDB/databaseAccounts", "targetValue": [ "microsoft.compute/virtualmachinescalesets", "Microsoft.ContainerInstance/containerGroups", "microsoft.containerregistry/registries", "microsoft.containerregistry/registries/replications", "microsoft.containerservice/managedclusters", "microsoft.insights/components", "microsoft.keyvault/vaults", "Microsoft.MachineLearningServices/workspaces", "Microsoft.MachineLearningServices/workspaces/datastores", "microsoft.managedidentity/userassignedidentities", "microsoft.network/applicationgateways", "microsoft.network/dnszones", "Microsoft.Network/dnszones/A", "Microsoft.Network/dnszones/AAA", "Microsoft.Network/dnszones/all", "Microsoft.Network/dnszones/CAA", "Microsoft.Network/dnszones/CNAME", "Microsoft.Network/dnszones/MX", "Microsoft.Network/dnszones/NS", "Microsoft.Network/dnszones/PTR", "Microsoft.Network/dnszones/recordsets", "Microsoft.Network/dnszones/SOA", "Microsoft.Network/dnszones/SRV", "Microsoft.Network/dnszones/TXT", "microsoft.network/loadbalancers", "microsoft.network/networksecuritygroups", "microsoft.network/privatednszones", "microsoft.network/privatednszones/virtualnetworklinks", "microsoft.network/privateendpoints", "microsoft.network/publicipaddresses", "microsoft.network/routetables", "microsoft.network/virtualnetworks", "microsoft.operationsmanagement/solutions", "microsoft.operationalinsights/workspaces", "Microsoft.Storage/storageAccounts", "Microsoft.Storage/storageAccounts/blobServices", "Microsoft.Storage/storageAccounts/fileServices", "Microsoft.Storage/storageAccounts/queueServices", "Microsoft.Storage/storageAccounts/tableServices", "Microsoft.Storage/storageAccounts/blobServices/containers", "Microsoft.Storage/storageAccounts/fileServices/shares", "microsoft.web/connections" ], "operator": "In" } ] }, "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative", "policyDefinitionReferenceId": "allowed-resource-types_1", "policySetDefinitionName": "containers-initiative", "policyDefinitionName": "a08ec900-254a-4555-9bf5-e42af04b5c5c", "policyDefinitionEffect": "deny", "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment", "policyAssignmentName": "containers-assignment", "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45" }

I am trying this from last 2 days but again getting same error always. What can I do?

Please help me out.

Any help would be appreciated.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,999 questions
{count} votes

2 answers

Sort by: Most helpful
  1. shiva patpi 13,171 Reputation points Microsoft Employee
    2021-09-13T01:52:02.21+00:00

    Hello @Aayush Shah ,
    It seems there is a policy with name " Allowed resource types " on your subscription at Management Scope level
    The command az cosmosdb create will try to create a resource of type Microsoft.DocumentDB/databaseAccounts .
    As per your policy definition , that particular resource type is not allowed on your subscription , that's the reason for the failure.

    From the detailed error message , if you see the target allowed values are : "targetValue": [ "microsoft.compute/virtualmachinescalesets", "Microsoft.ContainerInstance/containerGroups", "microsoft.containerregistry/registries", "microsoft.containerregistry/registries/replications", "microsoft.containerservice/managedclusters", "microsoft.insights/components", "microsoft.keyvault/vaults", "Microsoft.MachineLearningServices/workspaces", "Microsoft.MachineLearningServices/workspaces/datastores", "microsoft.managedidentity/userassignedidentities", "microsoft.network/applicationgateways", "microsoft.network/dnszones", "Microsoft.Network/dnszones/A", "Microsoft.Network/dnszones/AAA", "Microsoft.Network/dnszones/all", "Microsoft.Network/dnszones/CAA", "Microsoft.Network/dnszones/CNAME", "Microsoft.Network/dnszones/MX", "Microsoft.Network/dnszones/NS", "Microsoft.Network/dnszones/PTR", "Microsoft.Network/dnszones/recordsets", "Microsoft.Network/dnszones/SOA", "Microsoft.Network/dnszones/SRV", "Microsoft.Network/dnszones/TXT", "microsoft.network/loadbalancers", "microsoft.network/networksecuritygroups", "microsoft.network/privatednszones", "microsoft.network/privatednszones/virtualnetworklinks", "microsoft.network/privateendpoints", "microsoft.network/publicipaddresses", "microsoft.network/routetables", "microsoft.network/virtualnetworks", "microsoft.operationsmanagement/solutions", "microsoft.operationalinsights/workspaces", "Microsoft.Storage/storageAccounts", "Microsoft.Storage/storageAccounts/blobServices", "Microsoft.Storage/storageAccounts/fileServices", "Microsoft.Storage/storageAccounts/queueServices", "Microsoft.Storage/storageAccounts/tableServices", "Microsoft.Storage/storageAccounts/blobServices/containers", "Microsoft.Storage/storageAccounts/fileServices/shares", "microsoft.web/connections"]

    In the above list Microsoft.DocumentDB/databaseAccounts is not an allowed value.

    To mitigate this:-
    Your Subscription admin might have set a policy that disallows the creation of Microsoft.DocumentDB/databaseAccounts resources. So ask your Admin to add that resource type in the list of allowed types in that particular Policy definition.

    In the Azure Portal -> Go to Policy -> Definitions -> Search for the name of the policy (i.e. Allowed Resource types)

    More details about the policy error message can be found at : https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/error-policy-requestdisallowedbypolicy#solution

    Basics of Azure Policy: https://learn.microsoft.com/en-us/azure/governance/policy/overview

    Let us know if you have additional questions.

    Regards,
    Shiva.


  2. Sangram Rath 6 Reputation points
    2021-09-30T17:20:20.653+00:00

    For anyone with this issue what worked for me was to:

    • Wait until the sandbox expires
    • Sign out and sing in to the challenge in an incognito / private window
    • Request sandbox and verify permissions again
    0 comments No comments