Have you tried deploying Azure Migrate and receive a deployment validation failed message? In this post I will talk about how to find out what is preventing you from deploying and how to add an exception for the deployment so it will be successful. You can remove the exception after you are done.
Introduction
Hello everyone,
My name is Andrew Coughlin, and I am a Cloud Solutions Architect at Microsoft, specializing in Azure Infrastructure. In my role, I assist customers with utilizing Azure Migrate to transition their virtual machines from on-premises environments to Azure. Recently, I encountered an issue related to the setup of Azure Migrate, which arises when certain built-in policies are configured to deny compliance settings for storage account and key vault setup. These policies are designed to ensure that storage accounts and key vaults are deployed securely.
In this document, I will address the specific issue encountered and provide guidance on how to resolve it.
When setting up Azure Migrate, the process begins with creating a project. Once the project is established, you proceed to configure the discovery phase. There are three methods available for deploying this appliance: Hyper-V, VMware, or Physical servers. After selecting whether the servers are virtualized and identifying the platform, you will be presented with the following screens:
Next you will enter your appliance name and click Generate key. If you have any applicable policies:
If the settings are configured to "Deny," the deployment will fail, and the following message will be displayed:
Azure Migrate creates the following resources when you click generate key:
- Storage Account
- Key vault
- Recovery Services Vault
At the time this article was written, it is not possible to customize any settings for these three resources during deployment via Azure Migrate. In the following section, we will discuss the supported method to address this issue.
Determine which policies caused the failure (Portal)
- First click on the bell in the top right-hand corner.
- Click on Deployment validation failed.
- Expand the most recent validation failed operation.
NOTE: There may be multiple validation failures depending on the number of policies that denied Azure Migrate from creating the resources. Additionally, it may take several minutes for these operations to appear in the activity log.
- Click on any of the ‘deny’ Policy action, click on JSON.
- Scroll through the JSON until you find “policies”. Within the policies you will see, which policy prevented the resources from being created. In this example we see a policy named “[Preview] Storage account public access should be disallowed”.
- Review each ‘Deny’ Policy action and note which policy denied the actions.
- Continue to Add Policy Exception.
Determine which policies caused the failure (Using Developer Tools)
Alternatively, you may utilize the developer tools within your browser to identify which policies are obstructing the deployment.
- Click on Settings within the browser.
- Click More Tools > Click Developer Tools.
- Click on Network.
- Type the appliance name and click Generate key.
- Click on the validate?api-version=XXXX-XX-XX.
- Click Response.
- Copy and paste the error into a text editor of your choice to read the policies that blocked the deployment.
- Continue to Add Policy Exception.
Add Policy Exception
We will need to temporarily add an exception to the policy. Once the discovery steps for Azure Migrate are complete, the exceptions can be removed. It is recommended to add the exception is solely for the resource group where Azure Migrate is being deployed, ensuring that all other resources continue to be monitored under these policies.
- Click on Azure Policy.
- Click on Compliance, ensure your scope is set at the right level of where you believe the policy is assigned to.
- Type storage.
- Click on the policy for public access should be disallowed.
- Click View assignment.
- Click Edit Assignment.
- Click on the … next to Exclusions.
- Select the subscription and resource group you want to exclude this policy from.
- Click Add to Selected Scope.
- Click Save.
- Click Review + save.
- Click Save.
- Keep in mind if there are multiple policies blocking this you will need to do Steps 1 – 13 for each policy that blocked part of the creation of the resources. Once you have done this for all policies, continue to Step 14.
- Once finished you can go back to the Azure Migrate – Discover page.
- Provide your appliance name again and click Generate.
- Once finished you should receive the Deployment succeeded. If not you will need to repeat the above steps to find out what prevented the deployment.
Remove Policy Exception
Now let’s go ahead and remove the exceptions as they are no longer needed once we have successful deployment.
- Click on Azure Policy.
- Click on Compliance, ensure your scope is set at the right level of where you believe the policy is assigned to.
- Type storage.
- Click on the policy you want to remove the exception for.
- Click Edit assignment.
- Click on the … next to Exclusions.
- Select the subscription and resource group you want to remove the exclude from.
- Click Remove next to the resource group.
- Click Review + save.
- Click Yes.
- Click Save.
- Once completed you will get an updated policy assignment message.
- Keep in mind if there are multiple policies blocking this you will need to do Steps 1 – 12 for each policy that you want to remove the exception for. Once you have done this for all policies you’re finished.
Conclusion
In response to inquiries about whether it is possible to pre-create the storage account, Key Vault, and Recovery Services vault, or create these resources after a failure based on the names Azure Migrate attempted to create, the short answer is that this practice is neither recommended nor supported. Pre-creating these resources may result in unexpected issues and is not advisable.
This article discussed the supported method for deploying Azure Migrate when policies are blocking the deployment of essential Azure Migrate resources. Thank you for reading this blog, and I hope it provides valuable assistance. I look forward to your next visit.
Published Jan 23, 2025
Version 1.0AndrewCoughlin
Microsoft
Joined November 07, 2019
Core Infrastructure and Security Blog
Follow this blog board to get notified when there's new activity