Azure Policy definitions denyAction effect
The denyAction effect is used to block requests based on intended action to resources at scale. The only supported action today is DELETE. This effect and action name helps prevent any accidental deletion of critical resources.
DenyAction evaluation
When a request call with an applicable action name and targeted scope is submitted, denyAction prevents the request from succeeding. The request is returned as a 403 (Forbidden). In the portal, the Forbidden can be viewed as a deployment status that was prevented by the policy assignment.
Microsoft.Authorization/policyAssignments, Microsoft.Authorization/denyAssignments, Microsoft.Blueprint/blueprintAssignments, Microsoft.Resources/deploymentStacks, Microsoft.Resources/subscriptions, and Microsoft.Authorization/locks are all exempt from denyAction enforcement to prevent lockout scenarios.
Subscription deletion
Policy doesn't block removal of resources that happens during a subscription deletion.
Resource group deletion
Policy evaluates resources that support location and tags against denyAction policies during a resource group deletion. Only policies that have the cascadeBehaviors set to deny in the policy rule block a resource group deletion. Policy doesn't block removal of resources that don't support location and tags nor any policy with mode:all.
Cascade deletion
Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child and extension resources. Policy doesn't block removal of child and extension resources when a delete action targets the parent resources. For example, Microsoft.Insights/diagnosticSettings is an extension resource of Microsoft.Storage/storageaccounts. If a denyAction policy targets Microsoft.Insights/diagnosticSettings, a delete call to the diagnostic setting (child) fails, but a delete to the storage account (parent) implicitly deletes the diagnostic setting (extension).
This table describes if a resource is protected from deletion given the resource applicable to the assigned denyAction policy and the targeted scope of the DELETE call. In the context of this table, an indexed resource is one that supports tags and locations and a non-indexed resource is one that doesn't support tags or locations. For more information on indexed and non-indexed resources, go to definition mode. Child resources are resources that exist only within the context of another resource. For example, a virtual machines extension resource is a child of the virtual machine, which is the parent resource.
| Entity being deleted | Entity applicable to policy conditions | Action taken |
|---|---|---|
| Resource | Resource | Protected |
| Subscription | Resource | Deleted |
| Resource group | Indexed resource | Depends on cascadeBehaviors |
| Resource group | Non indexed resource | Deleted |
| Child resource | Parent resource | Parent is protected; child is deleted |
| Parent resource | Child resource | Deleted |
DenyAction properties
The details property of the denyAction effect has all the subproperties that define the action and behaviors.
actionNames(required)- An array that specifies what actions to prevent from being executed.
- Supported action names are:
delete.
cascadeBehaviors(optional)- An object that defines which behavior is followed when a resource is implicitly deleted when a resource group is removed.
- Only supported in policy definitions with mode set to
indexed. - Allowed values are
allowordeny. - Default value is
deny.
DenyAction example
Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DocumentDb/accounts"
},
{
"field": "tags.environment",
"equals": "prod"
}
]
},
"then": {
"effect": "denyAction",
"details": {
"actionNames": [
"delete"
],
"cascadeBehaviors": {
"resourceGroup": "deny"
}
}
}
}
Next steps
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for