I have following policy rules:
"policyRule": {
"if": {
"allOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 100
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 999
}
]
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"greaterOrEquals": 3501
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"lessOrEquals": 4096
}
]
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
The purpose of the policy is to prevent changes in NSG within certain priority range. However, I noticed that not only NSG are being affected by this policy. I saw that Microsoft.Network/networkIntentPolicies and Microsoft.Netwok/virtualNetwok is also being evaluated. Is there a way to fix this?
