Dombat


Software Engineering, Security, Management & Leadership. I work for Microsoft as an Application Development Manager (ADM). Views are mine.

Dombat

Microsoft learn Labs - Template deployment failed because of policy violation.

29th October 2019

If you're studying for Microsoft Certifications it's likely that you need to activate a sandbox to do a lab. If you don't use the sandbox you cannot proceed past that page at the "knowledge check" stage. Therefore if anything goes wrong you're stuck!

The following will also help anyone else who isn't doing labs to diagnose policy issues in Azure.

My error message is

Error message reads "The template deployment failed because of policy violation. Please see details for more information".

Strangly, clicking the message or arrow which both act like links don't do anything!

How to find the policy violation message

Find the resource group that has the policy violation. For my lab, the resource group was already created by the sandbox.

Find the resource group with the policy violation and click into it

Then click "Activity Logs". In this screenshot you can see some errors and then some successes once I had fixed the issue.

Click Activity Log inside the resource group to see a list of errors

Open up the most recent or most relevant error and then click the JSON tab. Scroll down the JSON and find the errors. In my case it manifested itself as a BadRequest. It doesn't matter if you don't know JSON, just read it. We are looking for the ID of the policyDefinitions so we can go and find it.

JSON error message showing the policy violation messages

In the screenshot above you'll see the policyDefinitions ID (which is a GUID) near the bottom of the message. Copy the GUID so we can use it for a Policy Search.

In the Azure Portal, type "Policy" into the search box and open Policy.

Open the Policy Definitions.

Drill into the Policy Definitions so we can search for the GUID

When all the definitions are showing, paste and search for your policy ID and the lkist should filter to show only the policy you're interested in.

Search for the policy by pasting its GUID into the search box

Click to open the offending policy. The definition will again be JSON. You should be able to read it. Below is my offending policy (yours will be different). It basically says "if the type is not in F1 or D1 or if not in Free or Shared (and some other stuff that is not relevant) then Deny", see if you can read it:

 "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Web/serverFarms"
          },
          {
            "anyOf": [
              {
                "not": {
                  "field": "Microsoft.Web/serverfarms/sku.name",
                  "in": [
                    "F1",
                    "D1"
                  ]
                }
              },
              {
                "not": {
                  "field": "Microsoft.Web/serverFarms/sku.tier",
                  "in": [
                    "Free",
                    "Shared"
                  ]
                }
              },
              {
                "field": "Microsoft.Web/serverFarms/sku.skuCapacity.maximum",
                "greater": 2
              },
              {
                "field": "Microsoft.Web/serverFarms/sku.skuCapacity.default",
                "greater": 2
              },
              {
                "field": "Microsoft.Web/serverFarms/sku.skuCapacity.minimum",
                "greater": 2
              },
              {
                "field": "Microsoft.Web/serverFarms/maximumNumberOfWorkers",
                "greater": 2
              },
              {
                "field": "Microsoft.Web/serverfarms/sku.capacity",
                "greater": 2
              },
              {
                "field": "Microsoft.Web/serverFarms/maximumElasticWorkerCount",
                "greater": 2
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }

So, in my case the tutorial does not cater for the "Consumption Plan".

How to fix (my issue)

I needed to change FROM consumption plan to a App Service Plan with a free server.

I had to change FROM consumption plan

I had to create a new App Service Plan Be careful, by default it will give you a server that will cost you money! Click "Chnage size" under the server (SKU Size)

Choosing a new plan and chnaging the size of the default machine

In the spec picker screen I had to click the Dev/Test tab and then choose F1 size which has free minutes. (Note: Remember in my policy JSON it secifically said "deny when NOT F1 or D1" - go and have another read of the JSON above)

Choosing the Dev Test spec and the F1 size of machine to get it for free for the lab

Once I had done this it then allowed me to continue to create my Function and continue the lab for Microsoft learn.

Software Engineer with interests in security and business processes.

View Comments