Skip to main content


Showing posts from March, 2020

Think before using "deny" in your Azure policy

Azure policies are a great way to provide governance for your Azure subscription to ensure that you are compliant to the standards that you have set up for your organisation. The reason why I titled the post as "Think before using deny in your azure policy" is that it is very important understand the evaluation process Azure policies uses. The order of the evaluation is as following; (Extract from Microsoft) Disabled  is checked first to determine if the policy rule should be evaluated. Append  and  Modify  are then evaluated. Since either could alter the request, a change made may prevent an audit or deny effect from triggering. Deny  is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented. Audit  is then evaluated before the request going to the Resource Provider. You can see that "Deny" is above "Audit" so if you was retrospectively apply policies on your subscription then you will need to e