Azure Policy deny not worked as expected

Question

Azure Policy deny not worked as expected

Igor Levin 1

Hello,

I've created an azure policy to deny the creation of a VM by some conditions.

This is the policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "tags[managed_by]",
"notEquals": "terraform"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"equals": "[parameters('operatingSystems')]"
},
{
"field": "[concat('tags[', parameters('requiredTagName'), ']')]",
"in": "[parameters('requiredTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag to tag if conditions apply"
}
},
"operatingSystems": {
"type": "String",
"metadata": {
"displayName": "Operating Systems",
"description": "The operating systems that the policy should apply on"
},
"allowedValues": [
"Windows",
"Linux"
]
},
"requiredTagName": {
"type": "String",
"metadata": {
"displayName": "Required Tag Name",
"description": "Name of the required tag to check on the resource"
}
},
"requiredTagValues": {
"type": "Array",
"metadata": {
"displayName": "Required Tags Values",
"description": "The required tag values to check if the required tag name also exist"
},
"defaultValue": []
}
}
}

When I try to create a VM that applies to the conditions of the policy above the VM is created and only then the policy starts to deny stuff like tag changes, size changes or identify activation and etc...

But when I use the following policy only to check for tag and then deny it works.

The policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": ""
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag to check for policy compliance"
}
}
}
}

This policy indeed denied the creation of a VM when it does not have the specified tag or it is empty.

Can some help to explain why the second policy that only checks tags denies the creation of a VM (like expected), but the first policy (that also has the same tag check) with its conditions does not deny the creation of a VM but only changes after the creation of the VM?

1 answer

Your answer

Answer 1

AnuragSingh-MSFT 21,546 Moderator

Hi @Igor Levin

Welcome to Microsoft Q&A! Thanks for posting the question.

It usually takes about 30 minutes for the policy to be fully effective after its assignment. During this time, the policy may not function properly (it might function partially or may not be in effect at all). Could you retest the effect after about 30 minutes of policy assignment? You may refer to this Q&A thread for a similar issue.

---
Edit: 01/17/2022

The reason for "deny" effect not working with Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType is as below:

>. This property is not added when creating the VM creation request but is auto populated after the VM has been created. You can verify absence of this property in the request in Portal by clicking on "Download a template for automation" on the "Review + create" page. Therefore, when submitting the request, the policy does not deny the VM creation, as this property is not present in the request against which the evaluation is done (create mode). After the VM has been created, during the next policy evaluation, the VM is put in non-compliance state because the property is available now. Here are more details of this behavior: Optional or auto-generated resource property that bypasses policy evaluation.

Please let me know if you have any question.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Igor Levin 1 Reputation point

2022-01-05T12:42:33.527+00:00

Hello,

Thanks for the response but this problem occurred even a few hours after the policy assignment.
When this policy starts to take effect all the existing VMs and newly created VM that the policy applies to them are denied for changes until I change the relevant tags for the policy.
But, what I need is that the policy will deny the creation of a new VM that applies to the policy conditions.

What I did manage to do is if I change the condition of type "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType" for checking the OS to use "Microsoft.Compute/virtualMachines/ImageOffer" then I can check for Windows VM because all images with Windows VMs start with "Windows" in their name and then it works.
But for Linux VMs it's problematic because the Linux images names are based on the distribution (Ubuntu, CentOS, Suse and etc...)

But what I want to do is to give in the same policy the option to choose when assigning the OS type that the policy applies.
The options I want are Windows or Linux and maybe both will be best.
So I need a condition to check if the OS type is one of two or three.

How can this be done using one policy with the condition of choosing the OS type?
AnuragSingh-MSFT 21,546 Reputation points Moderator

2022-01-12T11:31:12.807+00:00
@Igor Levin ,
Regarding using same policy for Windows and Linux VMs - You can change the operatingSystems parameter to an Array Type AND change equals to in for the comparison:

{ "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", "in": "[parameters('operatingSystems')]" },

This would allow you to use same policy for both types of OSs and would give you the option to chose either or both of them as shown below:

*Regarding the deny effect not working on VM creation** - I am also able to reproduce this issue. If the resource created is non-compliant, then it show up in Azure Policy as non-compliant after the resource creation. I will be investigating it and reaching out to our team for more information.

Please let me know if you have any questions.
AnuragSingh-MSFT 21,546 Reputation points Moderator

2022-01-17T04:41:39.063+00:00

@Igor Levin , After discussion with our team internally, I figured out the reason for "deny" effect not working with Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType as below:

>. This property is not added when creating the VM creation request but is auto populated after the VM has been created. You can verify absence of this property in the request in Portal by clicking on "Download a template for automation" on the "Review + create" page. Therefore, when submitting the request, the policy does not deny the VM creation, as this property is not present in the request against which the evaluation is done (create mode). After the VM has been created, during the next policy evaluation, the VM is put in non-compliance state because the property is available now. Here are more details of this behavior: Optional or auto-generated resource property that bypasses policy evaluation

Please let me know if you have any questions. I am also updating these details in the answer above to help others looking for information on similar topic.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Share via

Azure Policy deny not worked as expected

1 answer

Your answer