# Resource 'myresource' was disallowed by policy. Policy: 'Allowed locations'. Reason: 'The resource location 'eastus2' is not permitted.' - **ID:** `policy/azure-policy-denies-resource-group-location-mismatch` - **Domain:** policy - **Category:** config_error - **Error Code:** `PolicyViolation` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Azure Policy 'Allowed locations' restricts resource deployment to a predefined list of regions, and the resource's location does not match any allowed region. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Azure Policy 2.0 | active | — | — | | Azure Resource Manager 2023-03-01 | active | — | — | ## Workarounds 1. **Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}"` to get the allowed list.** (85% success) ``` Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query "[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}"` to get the allowed list. ``` 2. **Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.** (70% success) ``` Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope. ``` 3. **Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name "allowed-locations" --resource-group "my-rg" --parameters "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\"]}}"`.** (80% success) ``` Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name "allowed-locations" --resource-group "my-rg" --parameters "{\"listOfAllowedLocations\":{\"value\":[\"eastus\",\"eastus2\"]}}"`. ``` ## Dead Ends - **** — The policy may apply to multiple resource groups or subscriptions; changing location randomly may still violate the policy if the new location is also not allowed. (60% fail) - **** — The policy is evaluated at deployment time; recreating in the same disallowed location will trigger the same denial. (80% fail) - **** — The policy is enforced by Azure Resource Manager; retrying without changing the location will consistently fail. (95% fail)