search

Azure / azure-policy

Repository for Azure Resource Policy built-in definitions and samples
MIT License
1.51k stars 1.09k forks source link

Azure Policy with Deny effect doesn't prevent modification/update of resources against the policy. #1088

Open aquibchiniwala opened 1 year ago

aquibchiniwala commented 1 year ago

Azure Policy with Deny effect doesn't prevent modification/update of resources against the policy. Scenario: I applied the built-in policy "Azure SQL Database should have Azure Active Directory Only Authentication enabled".

While creating a new SQL server with Azure Active Directory "Disabled" the policy prevents me from creating the resource but when I update an existing SQL server with Azure Active Directory property from "Enabled" to "Disabled" it allows me to do so.

Any idea why policy evaluation is not done while updating the resource?

Thank You

schumixmd commented 1 year ago

Indeed, I confirm the same behavior. The builtin policies for Azure SQL related to Active Directory authentication or administrators, only kick in at the resource creation but not when the resource is modified.

Thanks, Roman