@Ted , thank you for posting this question.
The policy shared in the question would work to show that an App Service is non-compliant after updating the tls version to anything <1.2. I tested it in my subscription and the resource is shown as non-compliant after the next policy evaluation.
However, this policy does not deny the update of resource because of the difference in ARM template of how the request gets submitted for update vs actual resource ARM template generated from portal. If developer tools is used in Edge browser (using F12) and request is examined for update of "minTlsVersion"
, it would be noticed that the request to update tls version follows the ARM template as mentioned here - Microsoft.Web sites ARM template. In this case, the minTlsVersion
field is part of "siteConfig"
under resource of type "Microsoft.Web/sites"
.
As the policy definition does not check for "type"="Microsoft.Web/sites" AND "field['Microsoft.Web/sites/siteConfig/minTlsVersion']="1.2", the ARM does not block the resource update.
This is a known issue and is also documented here - Nonstandard update pattern through Azure Portal
Hope this helps.
If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.