How deny policy or rule inherits from Root Tenant to resource level

Question

I am trying to understand how deny policy/rule works in terms of inheritance. If I create a deny policy of - "not able to create resources" at Root Tenant. Under the root tenant I have a management group IT and a Dev subscription under this management group. I have allowed policy of creating resources under management group. Can I in this case create resources under subscription over-riding deny policy at Tenant level ?

Answer 1

Hi @Nishith Suthar , I understand that you want to know how Azure Policy is inherited and applied.

Any assignment of user access or policy on the root management group applies to all resources within the directory. Source: Important facts about root management group.

Answer to your question: No. If a deny policy applies, the request will be denied, unless you define excluded scopes. Policies are inherited: management structure from higher to lower level, to subscription, to resource group, to resources.

Please refer to Azure Policy Assignment Structure.

Answer 2

@Nishith Suthar In addition what Silvia provided, here is an article which documents the impact of conflicting azure policies

1. https://techcommunity.microsoft.com/t5/itops-talk-blog/the-impact-of-conflicting-azure-policies/ba-p/2227063
2. https://luke.geek.nz/azure/Demystifying-Azure-Policy-Inheritance-Understanding-the-Hierarchy-of-Control/