title | description | ms.date | ms.topic |
---|---|---|---|
Azure Policy definitions denyAction effect |
Azure Policy definitions denyAction effect determines how compliance is managed and reported. |
04/17/2024 |
conceptual |
The denyAction
effect is used to block requests based on intended action to resources at scale. The only supported action today is DELETE
. This effect and action name helps prevent any accidental deletion of critical resources.
When a request call with an applicable action name and targeted scope is submitted, denyAction
prevents the request from succeeding. The request is returned as a 403 (Forbidden)
. In the portal, the Forbidden
can be viewed as a deployment status that was prevented by the policy assignment.
Microsoft.Authorization/policyAssignments
, Microsoft.Authorization/denyAssignments
, Microsoft.Blueprint/blueprintAssignments
, Microsoft.Resources/deploymentStacks
, Microsoft.Resources/subscriptions
, and Microsoft.Authorization/locks
are all exempt from denyAction
enforcement to prevent lockout scenarios.
Policy doesn't block removal of resources that happens during a subscription deletion.
Policy evaluates resources that support location and tags against denyAction
policies during a resource group deletion. Only policies that have the cascadeBehaviors
set to deny
in the policy rule block a resource group deletion. Policy doesn't block removal of resources that don't support location and tags nor any policy with mode:all
.
Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child and extension resources. Policy doesn't block removal of child and extension resources when a delete action targets the parent resources. For example, Microsoft.Insights/diagnosticSettings
is an extension resource of Microsoft.Storage/storageaccounts
. If a denyAction
policy targets Microsoft.Insights/diagnosticSettings
, a delete call to the diagnostic setting (child) fails, but a delete to the storage account (parent) implicitly deletes the diagnostic setting (extension).
[!INCLUDE azure-policy-deny-action]
The details
property of the denyAction
effect has all the subproperties that define the action and behaviors.
actionNames
(required)- An array that specifies what actions to prevent from being executed.
- Supported action names are:
delete
.
cascadeBehaviors
(optional)- An object that defines which behavior is followed when a resource is implicitly deleted when a resource group is removed.
- Only supported in policy definitions with mode set to
indexed
. - Allowed values are
allow
ordeny
. - Default value is
deny
.
Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE
call that targets a resource group with an applicable database account.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DocumentDb/accounts"
},
{
"field": "tags.environment",
"equals": "prod"
}
]
},
"then": {
"effect": "denyAction",
"details": {
"actionNames": [
"delete"
],
"cascadeBehaviors": {
"resourceGroup": "deny"
}
}
}
}
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.