azure policy APPEND effect

testuser7 271 Reputation points


If I create one Azure-policy with Append effect, we know that it is used to add additional fields to the requested resource during creation or update.
A common example is specifying allowed IPs for a storage resource.

Similarly deployIfNotExists or modify effect will create a new resource or create a new TAG if it is missing respectively.
The doc says that this thing happens with the help of Managed Identity which has necessary RBAC permissions.

However, append does NOT require such Managed Identity help.
So my question is, how does append effect-policy add value for the resource-property without such managed identity ??


Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
817 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 18,211 Reputation points

    @testuser7 Before Modify effect was introduced, append effect is used for adding properties that came as a request into arm. When a policy definition using the Append or Modify effect is run as part of an evaluation cycle, it doesn't make changes to resources that already exist. Instead, it marks any resource that meets the if condition as non-compliant. So, Append or Modify effect, both are evaluated before the request gets processed by a Resource Provider during the creation or updating of a resource. This does not require Managed Identity as the request gets automatically processed during creation or updating of a resource.

    However, modify effect type need the ability to deploy resources and edit tags on existing resources respectively. So, it requires managed identity to do so.