This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 17%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
0
I am following the steps mentioned in this exercise on Microsoft Azure, given the exercise link below:
Azure Developer League: Secure Azure Kubernetes Cluster
I am stuck at the below code.
When I run this code in the azure cloud shell(sandbox), as mentioned in the steps given in that course:
export DATABASE_NAME=contoso-ship-manager-$RANDOM && \
az cosmosdb create \
-n $DATABASE_NAME \
-g $RESOURCE_GROUP \
--kind MongoDB \
--enable-free-tier
Or this code:
export DATABASE_NAME=contoso-ship-manager-$RANDOM && az cosmosdb create --name $DATABASE_NAME --resource-group $RESOURCE_GROUP --subscription "Concierge Subscription"
Whenever I run anyone of the above codes, I get this error:
(RequestDisallowedByPolicy) Resource 'contoso-ship-manager-17984' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"containers-assignment","id":"/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment"},"policyDefinition":{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"},"policySetDefinition":{"name":"containers-initiative","id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative"}}]'. Additional Information:Type: PolicyViolation Info: { "policyDefinitionDisplayName": "Allowed resource types", "policySetDefinitionDisplayName": "containers-initiative", "evaluationDetails": { "evaluatedExpressions": [ { "result": "False", "expressionKind": "Field", "expression": "type", "path": "type", "expressionValue": "Microsoft.DocumentDB/databaseAccounts", "targetValue": [ "microsoft.compute/virtualmachinescalesets", "Microsoft.ContainerInstance/containerGroups", "microsoft.containerregistry/registries", "microsoft.containerregistry/registries/replications", "microsoft.containerservice/managedclusters", "microsoft.insights/components", "microsoft.keyvault/vaults", "Microsoft.MachineLearningServices/workspaces", "Microsoft.MachineLearningServices/workspaces/datastores", "microsoft.managedidentity/userassignedidentities", "microsoft.network/applicationgateways", "microsoft.network/dnszones", "Microsoft.Network/dnszones/A", "Microsoft.Network/dnszones/AAA", "Microsoft.Network/dnszones/all", "Microsoft.Network/dnszones/CAA", "Microsoft.Network/dnszones/CNAME", "Microsoft.Network/dnszones/MX", "Microsoft.Network/dnszones/NS", "Microsoft.Network/dnszones/PTR", "Microsoft.Network/dnszones/recordsets", "Microsoft.Network/dnszones/SOA", "Microsoft.Network/dnszones/SRV", "Microsoft.Network/dnszones/TXT", "microsoft.network/loadbalancers", "microsoft.network/networksecuritygroups", "microsoft.network/privatednszones", "microsoft.network/privatednszones/virtualnetworklinks", "microsoft.network/privateendpoints", "microsoft.network/publicipaddresses", "microsoft.network/routetables", "microsoft.network/virtualnetworks", "microsoft.operationsmanagement/solutions", "microsoft.operationalinsights/workspaces", "Microsoft.Storage/storageAccounts", "Microsoft.Storage/storageAccounts/blobServices", "Microsoft.Storage/storageAccounts/fileServices", "Microsoft.Storage/storageAccounts/queueServices", "Microsoft.Storage/storageAccounts/tableServices", "Microsoft.Storage/storageAccounts/blobServices/containers", "Microsoft.Storage/storageAccounts/fileServices/shares", "microsoft.web/connections" ], "operator": "In" } ] }, "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative", "policyDefinitionReferenceId": "allowed-resource-types_1", "policySetDefinitionName": "containers-initiative", "policyDefinitionName": "a08ec900-254a-4555-9bf5-e42af04b5c5c", "policyDefinitionEffect": "deny", "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment", "policyAssignmentName": "containers-assignment", "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45" }
I am trying this from last 2 days but again getting same error always. What can I do?
Please help me out.
Any help would be appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 13%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Glad to finally see someone bringing this up. I was also stuck here last month buddy and I requested help from azure support but nothing happened and I also decided to forget about it.
Later today I again tried to run those commands and It looks like the commands to run cosmos have been changed. and a new issue has been introduced in the previous step where we create an Azure Kubernetes cluster.
I have been getting "permission policy requests not allowed " errors while running those commands.
The below thread has the required details. Kindly have a look if you have an idea what I can do then please share your thoughts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 18%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
For anyone with this issue what worked for me was to:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Aayush Shah ,
It seems there is a policy with name " Allowed resource types " on your subscription at Management Scope level
The command az cosmosdb create will try to create a resource of type Microsoft.DocumentDB/databaseAccounts .
As per your policy definition , that particular resource type is not allowed on your subscription , that's the reason for the failure.
From the detailed error message , if you see the target allowed values are : "targetValue": [ "microsoft.compute/virtualmachinescalesets", "Microsoft.ContainerInstance/containerGroups", "microsoft.containerregistry/registries", "microsoft.containerregistry/registries/replications", "microsoft.containerservice/managedclusters", "microsoft.insights/components", "microsoft.keyvault/vaults", "Microsoft.MachineLearningServices/workspaces", "Microsoft.MachineLearningServices/workspaces/datastores", "microsoft.managedidentity/userassignedidentities", "microsoft.network/applicationgateways", "microsoft.network/dnszones", "Microsoft.Network/dnszones/A", "Microsoft.Network/dnszones/AAA", "Microsoft.Network/dnszones/all", "Microsoft.Network/dnszones/CAA", "Microsoft.Network/dnszones/CNAME", "Microsoft.Network/dnszones/MX", "Microsoft.Network/dnszones/NS", "Microsoft.Network/dnszones/PTR", "Microsoft.Network/dnszones/recordsets", "Microsoft.Network/dnszones/SOA", "Microsoft.Network/dnszones/SRV", "Microsoft.Network/dnszones/TXT", "microsoft.network/loadbalancers", "microsoft.network/networksecuritygroups", "microsoft.network/privatednszones", "microsoft.network/privatednszones/virtualnetworklinks", "microsoft.network/privateendpoints", "microsoft.network/publicipaddresses", "microsoft.network/routetables", "microsoft.network/virtualnetworks", "microsoft.operationsmanagement/solutions", "microsoft.operationalinsights/workspaces", "Microsoft.Storage/storageAccounts", "Microsoft.Storage/storageAccounts/blobServices", "Microsoft.Storage/storageAccounts/fileServices", "Microsoft.Storage/storageAccounts/queueServices", "Microsoft.Storage/storageAccounts/tableServices", "Microsoft.Storage/storageAccounts/blobServices/containers", "Microsoft.Storage/storageAccounts/fileServices/shares", "microsoft.web/connections"]
In the above list Microsoft.DocumentDB/databaseAccounts is not an allowed value.
To mitigate this:-
Your Subscription admin might have set a policy that disallows the creation of Microsoft.DocumentDB/databaseAccounts resources. So ask your Admin to add that resource type in the list of allowed types in that particular Policy definition.
In the Azure Portal -> Go to Policy -> Definitions -> Search for the name of the policy (i.e. Allowed Resource types)
More details about the policy error message can be found at : https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/error-policy-requestdisallowedbypolicy#solution
Basics of Azure Policy: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Let us know if you have additional questions.
Regards,
Shiva.
I have been getting "permission policy requests not allowed " errors while running those commands.
The below thread has the required details. Kindly have a look if you have an idea what I can do then please share your thoughts