Troubleshooting Common Custom Policy Issues in Policy Development
We develop Azure Custom Policies when we need flexibility and advanced capabilities which cannot be achieved by existing built- in policies provided by Azure. We can add multiple custom policies for any Azure Product which can be modified and changed at any point of time.
In summary, Azure custom policies provide a powerful and flexible framework to design tailored identity experiences, integrate with external systems, and meet advanced security and compliance requirements.
Reference link on how to develop custom policies can be found here- Tutorial: Create a custom policy definition – Azure Policy | Microsoft Learn
Common Issues which can be seen while developing Custom Policy
Issue #1: An incorrect or nonexistent alias is used in a policy definition.
While Adding Policy Definition, always make sure that Correct Policy Alias is used otherwise you will get the error stating that ” incorrect alias/alias not available”. There are multiple ways to check the policy Alias which is described as below
Use Powershell Command Get-AzPolicyAlias
For example, if you are developing Policy for Resource type – Microsoft.Storage , then we will use below command:
(Get-AzPolicyAlias -NamespaceMatch ‘storage’).Aliases
Once you run the above PowerShell command, you will get full list of available aliases which can be used to develop policies.
Reference Link: Get-AzPolicyAlias (Az.Resources) | Microsoft Learn
Deploy Resource, Add configuration which you are expecting in your custom Policy and Check GET/PUT calls to understand which property/alias is getting passed in backend via developer tools while adding configuration. For example, if you want to enable Entra ID authentication in Web apps and check via custom policy that resource has entra ID auth enabled, then you will deploy web app and enable entra id authentication and check the values getting passed in backend while enabling entra id. Below Screenshots will help you understand how to check the values.
We are adding authentication for app service here:
Now, before clicking on add button, open developer tools:
Come back and Add the Authentication for web apps:
Now Go back to developer tools and check the Get/PUT calls after stopping recording:
Click on batchapiversion and under “response” check values which are updated while you have added authentication for your app service. You will see the appropriate alias value and multiple properties inside it, which will help you understand correct values which are needed to be added in custom policy to check if Entra ID is enabled for resource or not.
You can also use Azure Policy Extension for Visual Studio Code to check the correct Policy Alias for your custom policy
Issue #2: No Resources Found under Compliance Report.
There can be a possibility that once you add your custom policy, your resources are not visible under compliance report. To fix this issue, please make sure that you have provided correct resource type inside your policy definition and Read operation is available for the resource type. For example – resource type – > Microsoft.DBforPostgreSQL/flexibleServers, if read operation-
Microsoft.DBforPostgreSQL/flexibleServers/read is not avaialble, then you wont be able to see resources under compliance report. Please make a note that if read operation is not available, raise a request to PG team to add the read feature for that product.
All operation available for a particular product can be checked using this link- Azure permissions – Azure RBAC | Microsoft Learn
Issue #3: Incorrect Compliance Report
There can be a case where custom policy is added however compliance report is not correct. For eg- Your Resource is marked as compliant however it is non-compliant and vice versa. To solve this issue, we have to make sure that our policy rule is correct. Try to reverse the policy rule, use different combinations of “if”, “then” block with “All”, “Any” Conditions and test your policy to see if compliance report is changing.
Reference for Policy Rule can be found here- Details of the policy definition structure policy rules – Azure Policy | Microsoft Learn
Also make sure that Policy Effect is working properly. If policy effect is not working as expected, this can also impact the compliance report. To solve this, we have to check the PUT and GET requests for particular product and see if it is working with the effect. Sometimes “Deny” effect does not support the resource type for a particular policy rule and changing the effect to “Audit” will support the policy rule and gives the correct compliance report.
Issue #4: Unable to Develop Custom Policy- Alias Not Available
There can be a case that Policy Alias is not available to add the custom policy. In this case, we have to report it directly to PG team to check if Alias can be added in future as a new feature release or not.
Please make a note that there can be cases where due to security reasons, particular alias cannot be added by PG team . In those cases, we have to check alternative options or values which can be consumed indirectly to implement custom policy.
Issue #5: Incorrect Mode Usage
It is very important to understand that Value “Mode” in policy definition structure is referenced correctly otherwise the resource compliant will be incorrect.
As a best practice, always use Mode as “All” in your policy definitions. If Mode as “Indexed” is used it will limit evaluation to only those resources that support tags and you wont be able to see correct compliance report for other resources.
Microsoft Tech Community – Latest Blogs –Read More