Recently, I encountered a challenge with Azure Policy while implementing an “Allowed Locations” policy to ensure resources deployed in the correct regions. Similar to the one listed here but it’s our own custom one to allow us to make our own modifications - AzAdvertizer.net

The Problem:⌗

Our custom policy, configured with “All” mode, was unexpectedly interfering with the creation of new Key Vault access policies.

The “Aha!” Moment:⌗

After careful investigation, we compared our custom policy with the built-in Azure Policy for “Allowed Locations.” This built-in policy, designed specifically for this purpose, leverages the “Indexed” mode. This key difference was the root cause of the issue.

Since these KeyVault access policies don’t have a direct location property, the “All” mode triggered policy evaluation for them, causing unintended consequences. We were unable to create new access policies for our Key Vaults.

Indexed Mode to the Rescue:⌗

We promptly updated our custom policy to use “Indexed” mode. This change immediately resolved the problem with Key Vault access policy creation.

Lessons Learned:⌗

• Mode Matters: Choosing the right mode is crucial for Azure Policy effectiveness. “All” mode is not always the best choice, especially for resources without direct location properties. Refer to the official Microsoft documentation for detailed guidance.
• Learn from Built-in Policies: The built-in Azure Policies serve as valuable resources and learning tools. They showcase best practices and optimal configurations for common policy scenarios.

Conclusion:⌗

Azure Policy is a powerful tool, but a thorough understanding of its features is essential. A bit of extra research and careful planning can save you from significant challenges down the line.

I hope this blog post resonates with you!