Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,944 questions
Azure storage Firewall restrictions policy prevents policy deployments at configuration level
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Riyas
1
Reputation point
Hello All,
I have created 6 azure storage related policies in my subscriptions
Policy 1 - Restrict VNET
Policy 2 - Restrict Public IP
Policy 3 - Deny Public IP access
Policy 4 - Enforce TLS 1_2
Policy 5 - Enforce sas expiry
policy 6 - Enforce access key rotation
If Policy 2 ( restrict Public IP) or policy 3 (Deny Public IP access) is enabled , none of policies (Policy 4, policy 5, policy 6)related to policy deployment configuration changes in storage account is happening.
I removed the policy 3 (Deny Public IP access) but it did not help.
I allowed my IP address in Policy 2 (restrict Public IP) assignment, and added in allowed network in storage account, but still the policy deployment to make changes in configuration fails.
Code
InvalidTemplateDeployment
Message
The template deployment failed because of policy violation. Please see details for more information.
Code
RequestDisallowedByPolicy
Message
Resource 'strtmpdec4ts1' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Custom storage Firewall restrictions","id":"/subscriptions/xxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/ac9edf09aaf94d9eb68cda50"},"policyDefinition":{"name":"Custom storage Firewall restrictions","id":"/subscriptions/xxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/4c97f52f-2615-4e40-b105-d5a1c2c6e9a3"}}]'.
I couldn't identify why firewall restrictions policy not allowing other policy changes in storage account.
Could you guys please assist to understand the behavior.
{count} votes
-
deherman-MSFT 35,636 Reputation points Microsoft Employee2021-12-10T20:38:31.887+00:00 @Riyas We have some prebuilt policies which perform these actions. Could you compare these policies to yours to see if there are some differences? If you are still facing issues let us know and we can work directly with you to investigate.
https://learn.microsoft.com/en-us/azure/storage/common/policy-reference#microsoftstorage
-
Riyas 1 Reputation point
2021-12-11T12:46:18.39+00:00 I have gone through these links already but it did not help.
I am trying to do 'DeployIfNotexists' policy to enforce SAS interval, access policy key rotation, and TLS1_2 on storage accounts configuration.
You can reproduce the issue by following steps:
- Create a 'deployifnotexists' policy to enforce TLS1_2 on Storage accounts. Currently, there is no Inbuilt policy for this so you need to create one.
- Ensure policy '[Preview]: Storage account public access should be disallowed' (Inbuilt) is not assigned with 'Deny' effect. You can either have no assignments or keep the policy is 'Audit' effect.
- Now create a storage account with TLS1_1.
- By logic, the deployIfnotexists should do policy deployment and make the TLS version to TLS1_2 which works fine.
- Now set the Inbuilt policy ''[Preview]: Storage account public access should be disallowed" to 'Deny' effect to disable public access to storage account.
- Now again create a storage account with TLS1_1.
- The policy to enforce TLS1_2 will not happen here.
Please check the steps shared and let me know If you still need additional information. If we can work together please let me know the date and time (in UTC).
Any inputs are highly appreciated. -
Jesse Loudon 336 Reputation points MVP2022-02-05T23:53:41.183+00:00 hey @Riyas
I'm curious about 2 pieces of info for this case:
- After step 6 are you seeing any errors/events in the Azure Activity Log of the new Storage Account. Anything which would give further info on a conflict or an error to help further troubleshooting the TLS1_2 policy enforcement not occurring?
- After step 6, what happens if you run a manual remediation task for the non-compliant Storage Account? Does that work or is there an error we can see for further info?
Thanks
Sign in to comment