![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 79%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
798 questions
Hello @Manickam ,
AFAIK, the outcome you described is expected since the deny effect prevents the 'create' request from ever getting to Compute Resource Provider.
I recommend using the DeployIfNotExist effect for your scenario. This effect will not block the creation but flag it as non-compliant and queues it up for remediation. Also, DeployIfNotExist allows you to enable the appropriate recovery/backyup setting once the newly created VM is marked as non complaint.
Below is a sample DINE policy that evaluates a SQL Server databases to determine if transparentDataEncryption is enabled. If not, then a deployment to enable is executed..
use this as a sample to build your VM policy. Ping if you have any followup questions.
