Generally available: Secure critical infrastructure from accidental deletions at scale with Policy
Published Sep 27 2023 09:09 AM 9,123 Views

We are thrilled to announce the general availability of DenyAction, a new effect in Azure Policy! With the introduction of Deny Action, policy enforcement now expands into blocking request based on actions to the resource. These deny action policy assignments can safeguard critical infrastructure by blocking unwarranted delete calls 


Azure Policy expands its at-scale enforcement capabilities to assess requests based on action. Previously, Policy only supported the ‘deny’ effect which blocks requests based on resource configurations or properties. Now a newly added effect, Deny Action, extends that functionality to block based on intended request.  


Deny Action effect can be leveraged in the existing policy definitions schema. This allows for the conditional flexibility that comes with the “If” structure of a policy definition. Further, by assigning these definitions at subscription or management group level, deny action can help block these actions at-scale. Applicable resources will show a “Protected” compliance state to signify that the resource is protected from an unwanted action.  



Get started  


Here’s a sample Custom Deny Action Definition:  





Related Resources 


To keep learning about this exciting new capability of Azure Policy: 


Version history
Last update:
‎Sep 27 2023 09:10 AM
Updated by: