Azure Policy - 'Count' expressions

Hi there,

I am currently trying to construct an Azure Policy that uses the 'count' expression, as described in this https://learn.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays#field-count-expressions. My policy rule looks like the following, and tries to audit or deny all network interfaces where :

• A public IP exists
• The associate resource is a VM
• The associate NSG has only one rule : this is where the problem comes from.

I deployed two VMs for tests purposes:

• A VM that has one security rule -> I expect this one to be non-compliant (audit effect applies)
• A VM that has two security rules -> I expect this one to be compliant (audit effect doesn't apply)

The issue : both VMs are compliant. I think this is easy to reproduce. Do you guys have any feedbacks about it?

Best regards!

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
            "exists": true
          },
          {
            "field": "Microsoft.Network/networkInterfaces/virtualMachine.id",
            "exists": true
          },
          {
            "count": {
              "field": "Microsoft.Network/networkInterfaces/networkSecurityGroup.securityRules[*]"
            },
            "equals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }