Hi,
In this new article, I will share with you a new Azure Policy action: « Deny Action ». DenyAction is used to block requests on intended action to resources. The only supported action today is DELETE. This effect will help prevent any accidental deletion of critical resources.
This new Azure Policy action could help you to remove the Lock Type « Delete » in place at the Resource Group level.
Please find below an example:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DocumentDb/accounts"
},
{
"field": "tags.environment",
"equals": "prod"
}
]
},
"then": {
"effect": "DenyAction",
"details": {
"actionNames": [ "delete" ],
"cascadeBehaviors": { "resourceGroup": "deny" }
}
}
}