Azure Policy to Deny Creation of All Resources

                                                             azure policy                                                    

In this article, I will show you how to prevent the creation of all resources in Azure. You may be thinking, “Why on Earth or any other planet would anyone want to do that”? Good question! While working on a tenant migration, I was given the task of freezing the creation of new resources in the legacy environment until the migration was complete. Here’s how I accomplished that task using Azure Policy.

The are a number of built-in policies within Azure. I found two that were close to what I needed: Allowed resource types and Not allowed resource types. As you may have guessed, the “Allowed resource types” policy allows you to specify which resources are allowed. And the “Not allowed resource types” policy gives you the ability to specify which resources cannot be created. The “Not allowed policy” is more suited for what I was trying to accomplish, however a limitation with it is the requirement to individually select resources from a list of hundreds. Also, there is no option to select all. Obviously that won’t work, as my patience is not unlimited. As a result, I decided to duplicate the policy and make a small change to its definition JSON code.

Here’s how to duplicate the policy. In the Azure Portal, search for Policy. After you select Policy, click on Definitions in the sidebar under Authoring.

policy definitions

On the Definitions page search for the “Not allowed resource types” policy and click on the ellipses next to the policy to select “Duplicate definition”. This is where you will make the necessary changes to the default policy definition.

duplicate

As you can see, the policy has a parameter that allows you to determine which resources to deny. Since we’ll be denying all resources in this case, the parameter isn’t needed.

originaldefinition

The edited definition, shown below, will have a deny action on all resources like type “Microsoft.*”. After the change is made and other options are selected (location, name, category), save the new policy definition. I named this policy “Deny all resource types”.

new definition

The final step is to assign the policy. This can be done by clicking on the ellipses next to the new deny all policy definition and selecting assign.

assign policy

Now that the policy is assigned, any attempt to create a resource will get denied, as the following example shows.

resourcedenied



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s