Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
836 questions
Policy Auditing but not Denying
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Shane walford
6
Reputation points
Hi,
I am trying to apply the below policy in deny mode but deny does not work. In audit mode it audits as expected, and when set to deny it still audits correctly, but it does not prevent me from adding rules that do not contain the list of IP addresses. These are test IPs currently. I want to provide a list of IPs that users can add to NSGs but deny any that are not listed. I have tried using "sourceAddressPrefixes" but this does not work either.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"anyof": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"notIn": [
"10.10.10.1",
"10.23.10.1",
"10.25.10.1"
]
}
]
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SwathiDhanwada-MSFT 18,556 Reputation points2022-04-11T04:18:25.577+00:00 @Shane walford Thanks for your question. I am looking into it and will revert to you soon.
Sign in to comment