Skip to main content
All CollectionsKnowledge BaseEnterprise WorkloadsTroubleshooting - Enterprise Workloads
Failed to add Azure subscriptions due to policy restrictions.
Failed to add Azure subscriptions due to policy restrictions.

Failed to add Azure subscriptions due to policy restrictions.

Updated over a week ago

Problem Description:

When attempting to add a new Azure subscription, the process may fail due to restrictions enforced by a policy. To identify the root cause of the failure, it is essential to analyze the HAR logs or use developer tools to monitor the requests. By selecting the Network tab and observing the failed request during subscription addition, the exact error details can be identified.

For guidance on generating a HAR file, refer to the documentation: How to Generate and Collect HAR Log File.


Error message observed in HAR file

The HAR log may display an error message similar to the following:

Codes: [RequestDisallowedByPolicy],

Msg: Resource β€˜sdcp-drv-XXXXX' was disallowed by policy.

Policy Identifiers:

[

{

"policyAssignment": {

"name": "Policy Name",

"id": "subscriptions/<SubscriptionID>/providers/Microsoft.Authorization/policyAssignments/<AssignmentID>"

},

"policyDefinition": {

"name": "Policy Name",

"id": "/providers/Microsoft.Authorization/policyDefinitions/<DefinitionID>"

}

}

]

Cause:

The failure occurs because the Azure subscription addition is restricted by a policy that is still active and applies to the current context (e.g., resource group, management group, or subscription level).

Solution

  1. Investigate Active Policies: Check the resource group or higher-level organizational settings where the policy is applied.

    • Verify the policy assignments and definitions.

  2. Disable the Policy Temporarily:

    • Navigate to the Azure portal.

    • Identify the resource group where the policy is applied.

    • Disable the conflicting policy temporarily.

  3. Add the Subscription:

    • Proceed with the subscription addition process. Confirm that the error no longer occurs.

  4. Re-enable the Policy:

    • After successfully adding the subscription, re-enable the policy at the resource group or applicable level to maintain compliance.

Note

The dependency of policy definitions at the resource group level indicates that proper planning is required when managing policies. Ensure that temporary changes are documented and communicated to relevant stakeholders to avoid unintended impacts on compliance and governance.

Related Articles
Support for Azure Active Directory (AD) Conditional Access policies
Register Azure subscriptions
Error Codes for Azure virtual machines
Onboarding of Azure subscription fails with deny policy set in Azure account
Failed to save e-key while adding Azure subscription
Did this answer your question?