deploying Microsoft.Authorization/denyAssignments@2024-07-01-preview at resource group scope using ARM/Bicep.
We are deploying Microsoft.Authorization/denyAssignments@2024-07-01-preview at resource group scope using ARM/Bicep.
The template compiles successfully, but deployment fails with:
Code:
UserAssignedDenyAssignmentsNotSupported
Message:
User assigned deny assignments are not allowed for current subscription.
Request:
Please confirm whether this subscription can be enabled/allowlisted for user-assigned deny assignments using Microsoft.Authorization/denyAssignments@2024-07-01-preview, or confirm that this capability is unavailable and only Azure-managed d
eny assignments through Deployment Stacks are supported.
Business reason:
We need to create a deny assignment with All Principals, excluded service principals/users, Actions *, DataActions *, and a specific NotActions allowlist to match an existing security control.
-
Santhosh Kumar Machukuri 0 Reputation points • Microsoft External Staff • Moderator
Hi Dev_Admin,
It looks like you’re hitting the “UserAssignedDenyAssignmentsNotSupported” error when you try to deploy a custom deny assignment at the resource-group scope. That error means your subscription isn’t currently on the allow-list for the 2024-07-01-preview denyAssignments API. Right now, “user-defined” deny assignments (the ones where you list principals, actions, dataActions, notActions, etc.) are a preview feature and must be enabled by Microsoft on your subscription. By default, you can only get deny assignments that Azure itself creates (for example, those baked into Deployment Stacks or service-managed RG locks like Synapse’s protected RGs).
Here’s what you can do:
- File an Azure Support request • Ask to have your subscription onboarded to the
Microsoft.Authorization/denyAssignments@2024-07-01-previewpreview. Microsoft will flip the feature-flag so you can create user-defined deny assignments. - In the meantime, consider a Deployment Stack or Azure Blueprint workaround • Deployment Stacks let you bundle up ARM/Bicep artifacts (including built-in deny assignments) into a managed deployment at RG or subscription level. These are “Azure-managed” deny assignments and don’t require preview enrollment.
Once you’re allow-listed, your Bicep at RG scope will look something like this:
resource denyAssign 'Microsoft.Authorization/denyAssignments@2024-07-01-preview' = { name: 'deny-all-except-some' scope: resourceGroup() // RG scope properties: { description: 'Block all actions/dataActions except these NotActions' denyAssignmentName: 'denyAll' principals: [ { id: '/providers/Microsoft.Authorization/allPrincipals' type: 'All' } ] excludedPrincipals: [ { id: '<object-id-of-excluded-SP-or-user>' type: 'ServicePrincipal' } ] permissions: [ { actions: ['*'] dataActions: ['*'] notActions: [ 'Microsoft.Storage/storageAccounts/read', 'Microsoft.Compute/virtualMachines/start/action' ] } ] } }Reference list
- DenyAssignments Bicep docs: https://learn.microsoft.com/azure/templates/microsoft.authorization/2024-07-01-preview/denyassignments
- Deploying to resource group scope (Bicep): https://learn.microsoft.com/azure/azure-resource-manager/bicep/deploy-to-resource-group
- Deployment Stacks overview: https://learn.microsoft.com/azure/azure-resource-manager/deployment-stacks/overview
Let me know if you need help raising that support request or exploring a Deployment Stack blueprint as a temporary workaround!
- File an Azure Support request • Ask to have your subscription onboarded to the
Sign in to comment