Currently:

All Built In policies to set the DNS config on private DNS e.g. https://github.com/Azure/azure-policy/blob/e8fff400e6eee3502c3f3b4e7ac8301870aeac3f/built-in-policies/policyDefinitions/Storage/StoragePrivateDnsZoneGroup_Blob.json https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_PrivateZoneGroup_DINE.json would be greatly enhanced if we put the evaluationDelay to AfterProvisioningSuccess.

Since the evaluationDelay is 10 min by default, creating a private Endpoint demands Application Teams to wait for 10min before they can actually use them, respectively before the private IP is resolvable by DNS.

This is especially painful if the Application Team uses CI/CD pipelines. They currently need to build weird workarounds such as scripts in their pipeline, local provisioner (scripts) in tf or deployment scripts in Bicep only to wait for this default evaluationDelay to be reached.

Another issue arises if the creation of the private Endpoint needs more than 10min. For example on a busy day at lunchtime with a just created CosmosDB. Since this can take more than 10min (I've seen up to 12min) but the default 10min delay starts counting on private endpoint deployment, this would cause the PolicyDeployment failing with "Resource Not Ready".

Solution:

Both issues are easily resolved by setting "EvaluationDelay":"AfterProvisioningSuccess" within the deployment. e.g.

{
  "properties": {
    ...
    "policyRule": {
      ...
      "then": {
        ...
        "details": {
          ...
          "EvaluationDelay":"AfterProvisioningSuccess",
          "deployment": {
            ...
          }
        }
      }
    }
  }
}