Forum Discussion

trusthonda's avatar
trusthonda
Copper Contributor
Jul 17, 2020

Deny Security Rules deletion

Hi,

I'm trying to create a policy which prevents users from making any creation/modification/deletion of priority 100 NSG security rule.

 

I;ve create policy as below. While it prevents creation/modification of priority 100 rule, it still allows user to delete it. Is deletion not covered under deny policy. Do we have any MS doc which says that. If not, is there anything that needs to be added, to prevent deletion.

 

{
"mode": "All",
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"equals": 100
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

 

 

 

I've also tried "Microsoft.Network/networkSecurityGroups/securityRules/*" - doesnt work.

azure policy
policy

1 Reply

  • hspinto's avatar
    hspinto
    Icon for Microsoft rankMicrosoft
    Jul 18, 2020

    trusthonda 

     

    Azure Policy is not meant for what you want to accomplish. You should instead use a Delete Resource Lock on the NSG you want to protect from rules deletion. More details here.

Resources