I created the policy listed below and assigned it to an Azure subscription without exemptions; but when someone tries to create a Virtual Machine (VM) that violates this policy, they are able to do so. It shows the new resource is non-compliant, but I was expecting it to prevent (deny) creation of the non-compliant resource.
What am I doing wrong?
{
"properties": {
"displayName": "Deny Open Access",
"policyType": "Custom",
"mode": "All",
"description": "Denies resources where the applicable network security group rules allows inbound access from all Internet sources",
"metadata": {
"category": "Custom Security",
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Internet"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Any"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
},
"type": "Microsoft.Authorization/policyDefinitions",
}