Azure policy - "deny" subscription creation if certain tags are not set
Question
I have created the azure policy below but I am still able to create new subscriptions. The same if conditions are used in an Azure BuiltIn definition that modifies-adds tags to subscriptions. Any hints?
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"defaultValue": "CostCenter"
}
}
}
1 answers
solution1
0 2022-02-07 17:56:55
Just got an answer from Microsoft Support. It seems this is the current design that applies only to subscriptions being created from the portal. If the subscription is deployed programatically, the policy does its job.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Azure Policy Not Denying Route Creation
Azure custom policy for require tags for resource groups with valid value set using terraform
How to disable rate limit policy based on the azure subscription in Azure APIM
Azure Policy - Deny New Network interfaces in vnets that doesn't have an specific tag
How to set Connection Policy for Azure SQL Server
How to check if any required tags are blank Azure Policy
unable to apply json deny policy using gcloud
AWS Policy deny access on all production resources
Kubernetes network policy deny-all policy not blocking basic communication
How to create an exlusion list for certain rules based on RequestUri on the Azure WAF policy associated with Azure Application Gateway?
Related Tags