Details of the scenario you tried and the problem that is occurring
The built-in policy "[Preview]: Configure Recovery Services vaults to use private DNS zones for backup" (af783da1-4ad1-42be-800d-d19c70038820) does not consider the vault location/region.
Due to the fact that the privatelink zone is in the form "privatelink.{regionCode}.backup.windowsazure.com", rather than "{regionCode}.privatelink.backup.windowsazure.com", when assigning the policy the zone parameter needs to be region-specific, but the policy might get wrongly applied to a backup vault in the wrong region.
Furthermore, if the private endpoint gets created in a different region than the vault (unlikely but possible), the problem won't be resolvable through a location parameter, as policy will evaluate the PE region, not the vault region.
In the example below, the policy assignment uses "privatelink.we.backup.windowsazure.com", but the vault is created in North Europe, causing the issue.
Verbose logs showing the problem
Suggested solution to the issue
Implement a location parameter to at enable correct behavior for the scenario where the PE and the vault are in the same region.
If policy is Guest Configuration - details about target node
Details of the scenario you tried and the problem that is occurring
The built-in policy "[Preview]: Configure Recovery Services vaults to use private DNS zones for backup" (af783da1-4ad1-42be-800d-d19c70038820) does not consider the vault location/region. Due to the fact that the privatelink zone is in the form "privatelink.{regionCode}.backup.windowsazure.com", rather than "{regionCode}.privatelink.backup.windowsazure.com", when assigning the policy the zone parameter needs to be region-specific, but the policy might get wrongly applied to a backup vault in the wrong region.
Furthermore, if the private endpoint gets created in a different region than the vault (unlikely but possible), the problem won't be resolvable through a location parameter, as policy will evaluate the PE region, not the vault region.
In the example below, the policy assignment uses "privatelink.we.backup.windowsazure.com", but the vault is created in North Europe, causing the issue.
Verbose logs showing the problem
Suggested solution to the issue
Implement a location parameter to at enable correct behavior for the scenario where the PE and the vault are in the same region.
If policy is Guest Configuration - details about target node