Azure Blueprint Deny assignment

Copper Contributor



I am using Azure Blueprint. I am deploying a Resource Group using Azure Blueprint. At the time of assignment, I am putting a lock "Do not delete" on the assignment. This lock as "deny assignment" is getting applied to the Resource Group. However, the resources under it, it is not getting inherited.


Please suggest how to apply the "Deny Assignment" to the resources under the blueprint created Resource Group. Please note, the resources were moved from another Resource Group to BluePrint create Resource Group before it was locked. After move, the resource group was locked.


Additionally, I want the Blueprint assigned lock applied at Resource Group level gets applied to child resources beneath it.

2 Replies
Create a blueprint: First, create a blueprint that defines the desired state for your resources, including the "Deny Assignment" policy. This blueprint will be used to provision and manage your resources.

Define a policy definition: In the Azure Policy service, define a policy definition that enforces the "Deny Assignment" for the resources. You can create a custom policy definition or use a built-in policy definition provided by Azure.

Assign the policy definition to the blueprint: Associate the policy definition with your blueprint by including it in the blueprint definition. This ensures that the policy is applied when the blueprint provisions resources.

Assign the blueprint to the Resource Group: Assign the blueprint to the target Resource Group where you want to apply the "Deny Assignment" policy. During the assignment process, specify the appropriate parameters and settings.

Provision resources using the blueprint: Once the blueprint is assigned, it will provision the resources in the Resource Group based on the blueprint's definition. The "Deny Assignment" policy will be applied automatically to the resources during provisioning.

Verify the policy enforcement: After the resources are provisioned, verify that the "Deny Assignment" policy is enforced correctly. Check the compliance status of the resources in the Azure Policy service to ensure they adhere to the policy.
So, deny assignment will only be applicable for resources which are created by Blueprint. If I simply create a resource or migrate a resource from other resource group, the deny assignment will not apply, right?