Azure Policy - 'Count' expressions

Hi there,

I am currently trying to construct an Azure Policy that uses the 'count' expression, as described in this documentation. My policy rule looks like the following, and tries to audit or deny all network interfaces where :

• A public IP exists
• The associate resource is a VM
• The associate NSG has only one rule : this is where the problem comes from.

I deployed two VMs for tests purposes:

• A VM that has one security rule -> I expect this one to be non-compliant (audit effect applies)
• A VM that has two security rules -> I expect this one to be compliant (audit effect doesn't apply)

The issue : both VMs are compliant. I think this is easy to reproduce. Do you guys have any feedbacks about it?

Best regards!

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
            "exists": true
          },
          {
            "field": "Microsoft.Network/networkInterfaces/virtualMachine.id",
            "exists": true
          },
          {
            "count": {
              "field": "Microsoft.Network/networkInterfaces/networkSecurityGroup.securityRules[*]"
            },
            "equals": 1
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }