We are thrilled to announce the general availability of DenyAction, a new effect in Azure Policy! With the introduction of Deny Action, policy enforcement now expands into blocking request based on actions tothe resource. These deny action policy assignments can safeguardcritical infrastructure by blockingunwarranteddelete calls.
Azure Policy expands its at-scale enforcement capabilities to assess requests based on action. Previously, Policy only supported the ‘deny’ effect which blocks requests based on resource configurations or properties. Now a newly added effect, Deny Action, extends that functionality to block based on intended request.
Deny Action effect can be leveraged in the existing policy definitions schema. This allows for the conditional flexibility that comes with the “If” structure of a policy definition. Further, by assigning these definitions at subscription or management group level, deny action can help block these actions at-scale. Applicable resources will show a “Protected” compliance state to signify that the resource is protected from an unwanted action.
Here’s a sample Custom Deny Action Definition:
To keep learning about this exciting new capability of Azure Policy: