Azure 资源策略的 RequestDisallowedByPolicy 错误RequestDisallowedByPolicy error with Azure resource policy

本文说明了 RequestDisallowedByPolicy 错误的原因,它还提供了此错误的解决方案。This article describes the cause of the RequestDisallowedByPolicy error, it also provides solution for this error.

症状Symptom

部署过程中,可能会收到阻止创建资源的 RequestDisallowedByPolicy 错误 。During deployment, you might receive a RequestDisallowedByPolicy error that prevents you from creating the resources. 以下示例显示错误:The following example shows the error:

{
  "statusCode": "Forbidden",
  "serviceRequestId": null,
  "statusMessage": "{\"error\":{\"code\":\"RequestDisallowedByPolicy\",\"message\":\"The resource action 'Microsoft.Network/publicIpAddresses/write' is disallowed by one or more policies. Policy identifier(s): '/subscriptions/{guid}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition'.\"}}",
  "responseBody": "{\"error\":{\"code\":\"RequestDisallowedByPolicy\",\"message\":\"The resource action 'Microsoft.Network/publicIpAddresses/write' is disallowed by one or more policies. Policy identifier(s): '/subscriptions/{guid}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition'.\"}}"
}

故障排除Troubleshooting

若要检索有关阻止部署的策略的详细信息,请使用以下方法之一:To retrieve details about the policy that blocked your deployment, use the following one of the methods:

PowerShellPowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在 PowerShell 中,提供该策略标识符作为 Id 参数,检索有关阻止部署的策略的详细信息。In PowerShell, provide that policy identifier as the Id parameter to retrieve details about the policy that blocked your deployment.

(Get-AzPolicyDefinition -Id "/subscriptions/{guid}/providers/Microsoft.Authorization/policyDefinitions/regionPolicyDefinition").Properties.policyRule | ConvertTo-Json

Azure CLIAzure CLI

在 Azure CLI 中,提供策略定义的名称:In Azure CLI, provide the name of the policy definition:

# Get all the name and displayName collection with Azure CLI
az policy definition list --query [*].[name,displayName] 
 
# Replace {regionPolicyAssignment} with the specific name showed on output of previous cmdlet, e.g. feedbf84-6b99-488c-acc2-71c829aa5ffc.
az policy definition show --name {regionPolicyAssignment}

解决方案Solution

为了安全性和符合性,订阅管理员可能会分配限制资源部署方式的策略。For security or compliance, your subscription administrators might assign policies that limit how resources are deployed. 例如,订阅可能具有阻止创建公共 IP 地址、网络安全组、用户定义的路由或路由表的策略。For example, your subscription might have a policy that prevents creating Public IP addresses, Network Security Groups, User-Defined Routes, or route tables. “症状”部分中的错误消息显示策略的名称 。The error message in the Symptoms section shows the name of the policy. 要解决此问题,请查看资源策略,并确定如何部署符合这些策略的资源。To resolve this problem, review the resource policies, and determine how to deploy resources that comply with those policies.

有关详细信息,请参阅以下文章:For more information, see the following articles: