Bug Report - when a new resource is created this policy (definition es deploy asc security contacts) doesn't trigger a remediation as expected

[bsabri2023]

I have problem with using this policy definition es deploy asc security contacts, The problem is when a new resource is created the policy doesn't trigger a remediation as expected. it only works. If I create a remediation task, it will remediate the existing resources, but not new resources. Could you please advise me on how to fix this problem?

[krowlandson]

Thank you for logging this issue @bahramsabri.

As this is relating to the behaviour of the policy, I'm going to move this issue to our Azure/Enterprise-scale repository where we will get this correctly triaged and investigated.

In the meantime, it would be useful to know how soon after new resources are created are you trying to run the remediation? The reason I ask is because policy can take some time to evaluate compliance and perform remediation. To better understand the evaluation cycle for Azure Policy, please refer to the documentation for evaluation triggers which should explain more around how long certain triggers can take to update the system.

To rule this out, would you mind running an on-demand evaluation scan to see whether this helps? This can also take some time to complete, so please give the system some time to complete each step.

If you have any other information you can share to assist with our investigation that would also be greatly appreciated.

[bsabri2023]

@krowlandson By default the remediation kicks in 10 minutes after resource deployment. Do you think this on demand evaluation scan will help us to fix the issue we have with this policy?

[krowlandson]

As this policy triggers based on actions relating to a subscription, I think you need to allow at least 30 minutes for remediation to start automatically, as per:

A subscription (resource type Microsoft.Resource/subscriptions) is created or moved within a management group hierarchy with an assigned policy definition targeting the subscription resource type. Evaluation of the subscription supported effects (audit, auditIfNotExist, deployIfNotExists, modify), logging, and any remediation actions takes around 30 minutes.

For a new subscription being created, or for an existing subscription being associated with a management group where this policy is assigned, I would expect the remediation to take place within the above timeframes.

Have you tried waiting this long (i.e. 30 minutes or more)?

Also, you have been referring to "resource deployment" in your messages. Are you able to clarify which resource types you are deploying when you expect this policy to apply?

[bsabri2023]

@krowlandson Yes, I have tried waiting 30 minutes and even more and resource type is microsoft.resources/subscriptions. The policy works on existing and it does reports 1 non-compliant resource and 28 compliant resources and if I create a new remediation task using Terraform, the policy will fix the non-compliant resource. The problem is when a new subscription and resources is created the policy doesn't trigger a remediation as expected.

[jtracey93]

Trigger ADO Sync 1

[jtracey93]

Trigger ADO Sync 2