Pelayar ini tidak lagi disokong.
Naik taraf kepada Microsoft Edge untuk memanfaatkan ciri, kemas kini keselamatan dan sokongan teknikal yang terkini.
The denyAction effect is used to block requests based on intended action to resources at scale. The only supported action today is DELETE. This effect and action name helps prevent any accidental deletion of critical resources.
When a request call with an applicable action name and targeted scope is submitted, denyAction prevents the request from succeeding. The request is returned as a 403 (Forbidden). In the portal, the Forbidden can be viewed as a deployment status that was prevented by the policy assignment.
Microsoft.Authorization/policyAssignments, Microsoft.Authorization/denyAssignments, Microsoft.Blueprint/blueprintAssignments, Microsoft.Resources/deploymentStacks, Microsoft.Resources/subscriptions, and Microsoft.Authorization/locks are all exempt from denyAction enforcement to prevent lockout scenarios.
Policy doesn't block removal of resources that happens during a subscription deletion.
Policy evaluates resources that support location and tags against denyAction policies during a resource group deletion. Only policies that have the cascadeBehaviors set to deny in the policy rule block a resource group deletion. Policy doesn't block removal of resources that don't support location and tags nor any policy with mode:all.
Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child and extension resources. Policy doesn't block removal of child and extension resources when a delete action targets the parent resources. For example, Microsoft.Insights/diagnosticSettings is an extension resource of Microsoft.Storage/storageaccounts. If a denyAction policy targets Microsoft.Insights/diagnosticSettings, a delete call to the diagnostic setting (child) fails, but a delete to the storage account (parent) implicitly deletes the diagnostic setting (extension).
This table describes if a resource is protected from deletion given the resource applicable to the assigned denyAction policy and the targeted scope of the DELETE call. In the context of this table, an indexed resource is one that supports tags and locations and a non-indexed resource is one that doesn't support tags or locations. For more information on indexed and non-indexed resources, go to definition mode. Child resources are resources that exist only within the context of another resource. For example, a virtual machines extension resource is a child of the virtual machine, which is the parent resource.
| Entity being deleted | Entity applicable to policy conditions | Action taken |
|---|---|---|
| Resource | Resource | Protected |
| Subscription | Resource | Deleted |
| Resource group | Indexed resource | Depends on cascadeBehaviors |
| Resource group | Non indexed resource | Deleted |
| Child resource | Parent resource | Parent is protected; child is deleted |
| Parent resource | Child resource | Deleted |
The details property of the denyAction effect has all the subproperties that define the action and behaviors.
actionNames (required)
delete.cascadeBehaviors (optional)
indexed.allow or deny.deny.Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DocumentDb/accounts"
},
{
"field": "tags.environment",
"equals": "prod"
}
]
},
"then": {
"effect": "denyAction",
"details": {
"actionNames": [
"delete"
],
"cascadeBehaviors": {
"resourceGroup": "deny"
}
}
}
}
Latihan
Modul
Azure Policy initiatives - Training
Azure Policy initiatives are a collection of Azure policy definitions that are grouped together toward a specific goal or purpose. By consolidating multiple Azure policies into a single item, Azure Policy initiatives allow centralized control and enforcement of configurations across Azure resources.
Dokumentasi
Azure Policy definitions audit effect - Azure Policy
Azure Policy definitions audit effect determines how compliance is managed and reported.
Azure Policy definitions disabled effect - Azure Policy
Azure Policy definitions disabled effect determines how compliance is managed and reported.
Azure Policy definitions effect basics - Azure Policy
Azure Policy definitions effect basics determine how compliance is managed and reported.