PolicyViolation
policy
config_error
ai_generated
true
Resource 'myresource' was disallowed by policy. Policy: 'Allowed locations'. Reason: 'The resource location 'eastus2' is not permitted.'
ID: policy/azure-policy-denies-resource-group-location-mismatch
80%Fix Rate
85%Confidence
1Evidence
2023-01-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Azure Policy 2.0 | active | — | — | — |
| Azure Resource Manager 2023-03-01 | active | — | — | — |
Root Cause
Azure Policy 'Allowed locations' restricts resource deployment to a predefined list of regions, and the resource's location does not match any allowed region.
generic中文
Azure策略'允许的位置'将资源部署限制在预定义的区域列表中,而资源的位置与任何允许的区域都不匹配。
Official Documentation
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effectsWorkarounds
-
85% success Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}"` to get the allowed list.
Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}"` to get the allowed list. -
70% success Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.
Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.
-
80% success Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name "allowed-locations" --resource-group "my-rg" --parameters "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\"]}}"`.
Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name "allowed-locations" --resource-group "my-rg" --parameters "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\"]}}"`.
中文步骤
Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}"` to get the allowed list.Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.
Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name "allowed-locations" --resource-group "my-rg" --parameters "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\"]}}"`.
Dead Ends
Common approaches that don't work:
-
60% fail
The policy may apply to multiple resource groups or subscriptions; changing location randomly may still violate the policy if the new location is also not allowed.
-
80% fail
The policy is evaluated at deployment time; recreating in the same disallowed location will trigger the same denial.
-
95% fail
The policy is enforced by Azure Resource Manager; retrying without changing the location will consistently fail.