| title | Azure Policy definitions denyAction effect |
|---|---|
| description | Azure Policy definitions denyAction effect determines how compliance is managed and reported. |
| ms.date | 03/04/2025 |
| ms.topic | reference |
The denyAction effect is used to block requests based on intended action to resources at scale. The only supported action today is DELETE. This effect and action name helps prevent any accidental deletion of critical resources.
When a request call with an applicable action name and targeted scope is submitted, denyAction prevents the request from succeeding. The request is returned as a 403 (Forbidden). In the portal, the Forbidden can be viewed as a deployment status that was prevented by the policy assignment.
Microsoft.Authorization/policyAssignments, Microsoft.Authorization/denyAssignments, Microsoft.Blueprint/blueprintAssignments, Microsoft.Resources/deploymentStacks, Microsoft.Resources/subscriptions, and Microsoft.Authorization/locks are all exempt from denyAction enforcement to prevent lockout scenarios.
Policy doesn't block removal of resources that happens during a subscription deletion.
Policy evaluates resources that support location and tags against denyAction policies during a resource group deletion. Only policies that have the cascadeBehaviors set to deny in the policy rule block a resource group deletion. Policy doesn't block removal of resources that don't support location and tags nor any policy with mode:all.
Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child and extension resources. Policy doesn't block removal of child and extension resources when a delete action targets the parent resources. For example, Microsoft.Insights/diagnosticSettings is an extension resource of Microsoft.Storage/storageaccounts. If a denyAction policy targets Microsoft.Insights/diagnosticSettings, a delete call to the diagnostic setting (child) fails, but a delete to the storage account (parent) implicitly deletes the diagnostic setting (extension).
[!INCLUDE azure-policy-deny-action]
The details property of the denyAction effect has all the subproperties that define the action and behaviors.
actionNames(required)- An array that specifies what actions to prevent from being executed.
- Supported action names are:
delete.
cascadeBehaviors(optional)- An object that defines which behavior is followed when a resource is implicitly deleted when a resource group is removed.
- Only supported in policy definitions with mode set to
indexed. - Allowed values are
allowordeny. - Default value is
deny.
Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DocumentDb/accounts"
},
{
"field": "tags.environment",
"equals": "prod"
}
]
},
"then": {
"effect": "denyAction",
"details": {
"actionNames": [
"delete"
],
"cascadeBehaviors": {
"resourceGroup": "deny"
}
}
}
}- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.