Azure policies are a great way to provide governance for your Azure subscription to ensure that you are compliant to the standards that you have set up for your organisation. The reason why I titled the post as "Think before using deny in your azure policy" is that it is very important understand the evaluation process Azure policies uses. The order of the evaluation is as following; (Extract from Microsoft) Disabled is checked first to determine if the policy rule should be evaluated. Append and Modify are then evaluated. Since either could alter the request, a change made may prevent an audit or deny effect from triggering. Deny is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented. Audit is then evaluated before the request going to the Resource Provider. You can see that "Deny" is above "Audit" so if you was retrospectively apply policies on your subscription then you will need to e