Appending customer managed keys to storage account using azure policy

Question

I need to enforce that when user creates a storage account in azure, it should get appended with customer managed keys. Platform managed keys are prohibited to be used by storage account. Below is the policy that's created. Although the policy is successfully deployed, the storage accounts that we create after the policy deployment does not append the customer manged key details that's defined inside the Azure policy even after 2 hours. When we try adding customer managed key, it instead throws error telling- "Policies attempted to append some fields which already exist in the request with different values. Fields: 'Microsoft.Storage/storageAccounts/encryption.KeySource'. Policy identifiers:'[{"policyAssignment":{"name":"Encryption settings to Storage Account for customer-provided key","id":"funRulerg-mj/providers/Microsoft.Authorization/policyAssignments/" Can someone pls help me understand, why inspite of "append" effect the policy is not appending the customer managed keys to the storage account. And the error clearly tells that the policy is already in effect due to which it is not allowing to add any customer managed key as well to the storage accounts.

{
"properties": {
    "displayName": "Append encryption settings to Storage Account for customer-provided key",
    "description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
    "mode": "all",
    "parameters": {
        "keyvaulturi": {
            "type": "String",
            "metadata": {
                "description": "Uri location of the Key Vault to use for Storage Service Encryption"
            }
        },
        "keyname": {
            "type": "String",
            "metadata": {
                "description": "Name of the Key to use for Storage Service Encryption"
            }
        }
    },
    "policyRule": {
        "if": {
            "allof": [
                {
                    "field": "type",
                    "equals": "Microsoft.Storage/storageAccounts"
                },
                {
                    "field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
                    "equals": "Microsoft.Storage"
                }
            ]
        },
        "then": {
            "effect": "append",
            "details": [
                {
                    "field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
                    "value": "Microsoft.Keyvault"
                },
                {
                    "field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
                    "value": "[parameters('keyvaulturi')]"
                },
                {
                    "field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
                    "value": "[parameters('keyname')]"
                }
            ]
        }
    }
}

}

Answer 1

The field "Microsoft.Storage/storageAccounts/encryption.KeySource" is set to "Microsoft.Storage", and according to this https://rjygraham.com/posts/azure-policy-append-as-gentler-deny.html , "Append evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. Append adds fields to the resource when the if condition of the policy rule is met. If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request". In the "details" policy is trying to change the vaule of field "Microsoft.Storage/storageAccounts/encryption.KeySource" to "Microsoft.Keyvault" this might be the issue.