[Solved] Azure Policy to check the networkAcls.ipRules configuration for a Storage Account


Hi all!


I'm trying to configure a Policy, that I anticipated shouldn't be to tricky, but for some reason I have a hard time getting it to work...


Edit: Started working out of nowhere a few minutes ago...


Configuration is as follow





    "parameters": {
      "allowedIPAddress": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed IP Addresses",
          "description": "The list of allowed IP adresses for this resource."
    "policyRule": {
      "if": {
        "allOf": [
            "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
            "exists": "true"
            "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value",
            "notIn": "[parameters('allowedIPAddress')]"
      "then": {
        "effect": "deny"





According to the documentation at https://docs.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays this should work, right? Only difference I have from the examples is that I check an array instead.
Just to add: I'm having a hard time getting the example code in the documentation to work also, so this might be a person problem :facepalm:
2 Replies

Hi @Anders Eide,


Is there not another {} Missing?

One at the beginning befor the parameters and one at the end?


Kind regards, Peter

Hi @Peter_Beckendorf!


I've only added the perameters and policyRule object to the code snippet to avoid to much bloat in the post :)


I've updated the original post to fix the indention issue so it's easier to read