User-friendly compliance messages for Azure Policy
When resource creation fails because of Azure Policies the error is not always that descriptive and you will have to search for the failure. If you look at the below example you see an error that arises when creating a resource group. The error only tells us that it is because of policy configuration but what could be the cause:
User-friendly none compliant messages
Within Azure, it is possible to attach user-friendly non-compliant messages that the user will see when something is denied by policies when creating resources.
These messages can be added to the platform when assigning policies in Azure. The message can be added in the "Non-compliancy message" tab of the policy assignment blade.
By adding this non-compliance message it becomes clearer when something fails because of policies. The only downside at this moment is that you still have to look at the raw error. The screenshot below shows that the non-compliance message is now included in the error giving much more insight on why the creation failed.
Assigning non-compliancy message via bicep
The non-compliance message can also be added when assigning policies through bicep or ARM. In the below snippet you can find the property called "nonComplianceMessages" that contains the possible non-compliance messages.
resource policyAssignment'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: 'string'
location: 'string'
properties: {
description: 'string'
displayName: 'string'
enforcementMode: 'string'
metadata: any()
nonComplianceMessages: [
{
message: 'string'
policyDefinitionReferenceId: 'string'
}
]
notScopes: [
'string'
]
parameters: {}
policyDefinitionId: 'string'
}
}
Conclusion
With the use of the non-compliance messages, it becomes easier to search for the policies that are denying the creation of resources.
It would be great if these non-compliance messages can be added to the regular error summary blade.