Jump to content

How to Troubleshoot Deny Policy Step by Step


Recommended Posts

Guest zoeylan
Posted

For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. Deny policy, as one policy type, is used to prevent a resource request that does not match defined standards through a policy definition and fails the request. For example, deny policies that prevent creating public IP addresses, network security groups, user-defined routes, or route tables.

 

 

 

Document Reference: Understand how effects work - Azure Policy

 

 

 

This blog will show you how to troubleshoot deny policy related issues and how to fix them.

 

 

 

Troubleshoot RequestDisallowedByPolicy errors and non-compliant resources

 

 

 

 

[Example built-in policy]

 

Policy Definition Name: Storage accounts should have the specified minimum TLS version

 

Policy Definition ID: fe83a0eb-a853-422d-aac2-1bffd182c5d0

 

 

 

Scenario 1:

 

 

You tried to change the “Minimum TLS version” from “Version 1.2” to “Version 1.1”, but the operation failed.

 

largevv2px999.png.eed58013aee4b19aee2d2797552e8675.png

 

 

 

 

 

By checking the error message in the Notifications panel, it’s clear that the update operation failed because it was blocked by a policy (policy id: fe83a0eb-a853-422d-aac2-1bffd182c5d0).

 

 

 

You can use the name of a policy assignment or policy definition to get more details about a policy that caused the error. Specifically, you can navigate to the policy page and find the policy definition and policy assignment based on the id shown in the error message.

 

largevv2px999.png.1fe22d498622004f59d24eed17e7ce09.png

 

 

 

By checking the “if” section in the policy definition and parameter values defined in the policy assignment, you can easily understand that the policy forces you to use the minimum TLS version ≥ 1.2. That’s why it does not allow you to change it to 1.1.

 

largevv2px999.png.cfa1a3fdb4e5ea4c2ff5ed739362ef20.png

 

 

 

 

 

Besides, you can check similar information in the activity log.

 

largevv2px999.png.4e69f599320d976a1ff55e0f2228d6ab.png

 

Find the ‘deny’ Policy action and click in the failed sub record.

 

largevv2px999.png.8c5cc20b1a66987e373af087d9e5ac07.png

 

Double check the error code and make sure it’s “RequestDisallowedByPolicy”. Then, you can click the JSON to view more details of this failed operation. By searching “evaluationdetails”, you can navigate to the response body part.

 

largevv2px999.thumb.png.f915b31ecde5b9486008b96a3f3e2044.png

 

By formatting the content, you can get a clear view like below, which helps you understand why the operation was blocked by the deny policy.

 

largevv2px999.png.c0c80b1a5dfbb13f46f1ecfef88a2108.png

 

 

 

Solutions:

 

  • You can keep the minimum TLS version unchanged (recommended in this example).
  • Remove or disable the policy assignment (need to check with your policy admin).
  • Create a policy exemption (need to check with your policy admin).

 

 

 

Scenario 2:

 

 

You want to figure out why some resources are shown as non-compliant on the “Compliance” page.

 

largevv2px999.png.3fec4d277758bcbb139d6364d47c53f4.png

 

You can check compliance status for a specific policy by either finding it on the “Compliance” page or accessing through policy assignment page.

 

largevv2px999.png.88802b739abcbdb33983c6a2da6a82d2.png

 

Please make sure you select the “Non-compliant” in the drop-down list to check the non-compliant resources.

 

  • Click the “Details” to check the compliance details

 

largevv2px999.png.974881ff803dba17a9ffc2792ae31374.png

 

  • Scroll down on the compliance details page.

 

largevv2px999.png.bad2bf2414e93f4df94cb370d84fdc83.png

 

 

 

Under the “Compliance details”, there are one or more blocks for policy aliases defined in policy definition respectively. In this case shown above, the policy has to check the resource type (equals to storage account) and minimum TLS version. The first block checking the resource type shows that it’s compliant since the current value and target value matches. The second block checks minimum TLS version. The target value (defined in the policy assignment: 1.2) is different from the current value (the current storage account’s minimum TLS version allowed: 1.1).

 

largevv2px999.png.74eb58b194bd849533cd08bb6581ca6a.png

 

By checking the configuration for this storage account, we can see that the current minimum TLS version value is 1.1. So, it’s expected that this storage account is shown as a non-compliant resource.

 

 

 

Solutions:

 

  • Manually change the minimum TLS version to Version 1.2 from the Storage side.
  • If you want to create a remediation task to manage non-compliant resources at once, you can change your policy effect from “deny” to “modify” if possible and then run a remediation task.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...