RequestDisallowedByPolicy error with Azure resource policy

Article
03/17/2023

This article describes the cause of the RequestDisallowedByPolicy error, it also provides solution for this error.

Symptom

During deployment, you might receive a RequestDisallowedByPolicy error that prevents you from creating the resources. The following example shows the error:

{
  "statusCode": "Forbidden",
  "serviceRequestId": null,
  "statusMessage": "{\"error\":{\"code\":\"RequestDisallowedByPolicy\",\"message\":\"The resource action 'Microsoft.Network/publicIpAddresses/write' is disallowed by one or more policies. Policy identifier(s): '/subscriptions/{guid}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition'.\"}}",
  "responseBody": "{\"error\":{\"code\":\"RequestDisallowedByPolicy\",\"message\":\"The resource action 'Microsoft.Network/publicIpAddresses/write' is disallowed by one or more policies. Policy identifier(s): '/subscriptions/{guid}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition'.\"}}"
}

Troubleshooting

To retrieve details about the policy that blocked your deployment, use the following one of the methods:

PowerShell

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

In PowerShell, provide that policy identifier as the Id parameter to retrieve details about the policy that blocked your deployment.

(Get-AzPolicyDefinition -Id "/subscriptions/{guid}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition").Properties.policyRule | ConvertTo-Json

Azure CLI

In Azure CLI, provide the name of the policy definition:

# Get all the name and displayName collection with Azure CLI
az policy definition list --query '[*].{Name: name, DisplayName: displayName}' -o table
 
# Replace {regionPolicyAssignment} with the specific name showed on output of previous cmdlet, e.g. feedbf84-6b99-488c-acc2-71c829aa5ffc.
az policy definition show --name {regionPolicyAssignment}

Solution

For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. For example, your subscription might have a policy that prevents creating Public IP addresses, Network Security Groups, User-Defined Routes, or route tables. The error message in the Symptoms section shows the name of the policy. To resolve this problem, review the resource policies, and determine how to deploy resources that comply with those policies.

For more information, see the following articles: