User-friendly compliance messages for Azure Policy

When resource creation fails because of Azure Policies the error is not always that descriptive and you will have to search for the failure. If you look at the below example you see an error that arises when creating a resource group. The error only tells us that it is because of policy configuration but what could be the cause:

Error when creating resource group that does not comply with Azure Policy
To find the cause the raw error investigated to find the policy that is denying the creation. As shown below the creation is denied by the policy assignment called “Resource Group – Naming MVP”.

User-friendly none compliant messages

Within Azure, it is possible to attach user-friendly non-compliant messages that the user will see when something is denied by policies when creating resources.

These messages can be added to the platform when assigning policies in Azure. The message can be added in the “Non-compliancy message” tab of the policy assignment blade.

By adding this non-compliance message it becomes clearer when something fails because of policies. The only downside at this moment is that you still have to look at the raw error. The screenshot below shows that the non-compliance message is now included in the error giving much more insight on why the creation failed.

Assigning non-compliancy message via bicep

The non-compliance message can also be added when assigning policies through bicep or ARM. In the below snippet you can find the property called “nonComplianceMessages” that contains the possible non-compliance messages.

resource policyAssignment'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  name: 'string'
  location: 'string'
  properties: {
    description: 'string'
    displayName: 'string'
    enforcementMode: 'string'
    metadata: any()
    nonComplianceMessages: [
      {
        message: 'string'
        policyDefinitionReferenceId: 'string'
      }
    ]
    notScopes: [
      'string'
    ]
    parameters: {}
    policyDefinitionId: 'string'
  }
}

Conclusion

With the use of the non-compliance messages, it becomes easier to search for the policies that are denying the creation of resources.

It would be great if these non-compliance messages can be added to the regular error summary blade.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.