Skip to main content
All CollectionsKnowledge BaseEnterprise WorkloadsTroubleshooting - Enterprise Workloads
Onboarding of Azure subscription fails with deny policy set in Azure account
Onboarding of Azure subscription fails with deny policy set in Azure account

Onboarding of Azure subscription fails with deny policy set in Azure account

Updated over 2 months ago

Problem description

This article provides steps to troubleshoot and resolve issues when onboarding Azure subscriptions, particularly when encountering the "DisallowedByPolicy" error.

Traceback

retry=false escape=true code=ConnectionSvc-1001 message="Codes:[RequestDisallowedByPolicy], Msg:Resource 'putphx-drv-xxx-xxx was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Allowed locations\",\"id\":\"/subscriptions/42f9388b-xxxx-xxxx-xxxx-8b75e03a02c9/providers/Microsoft.Authorization/policyAssignments/xxx73cc9159842cd8fxxxx\"},\"policyDefinition\":{\"name\":\"Allowed locations\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-4747-49cd-b67b-bf8b01975xxx\"}}]'

Resolution

Prerequisites:

Steps to Resolve:

  1. Onboarding Process:

    1. Create a resource group and key vaults in the desired region using the dropdown button.

    2. Select the appropriate region for onboarding.

  2. If Onboarding Fails:

    1. Collect HAR logs after reproducing the issue.

    2. Analyze the HAR logs for any "DisallowedByPolicy" errors.

  3. Identifying Policy Restrictions: If you see an error message similar to

    retry=false escape=true code=ConnectionSvc-1001 message="Codes:[RequestDisallowedByPolicy], Msg:Resource 'putphx-drv-xxx-xxx was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Allowed locations\",\"id\":\"/subscriptions/42f9388b-xxxx-xxxx-xxxx-8b75e03a02c9/providers/Microsoft.Authorization/policyAssignments/xxx73cc9159842cd8fxxxx\"},\"policyDefinition\":{\"name\":\"Allowed locations\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-4747-49cd-b67b-bf8b01975xxx\"}}]'

    This indicates a deny policy is set for the specific region.

  4. Checking Azure Policies:

    1. Log in to the Azure portal.

    2. Navigate to Home -> Policy | Definitions.

    3. Locate and select "Allowed locations" under Policy assignments.

  5. Updating Allowed Locations:

    1. In the "Allowed locations" policy, find the "listofAllowedLocations" section.

    2. Under the "Parameter value" column, add the region where you want to create the resource group and key vault.

  6. Retry Configuration: After updating the allowed locations, attempt to configure the Azure subscription again.

Did this answer your question?