Generally, for the deny or audit evaluation, Azure policy will trigger the List Collection REST API to detect current status of resources. If we check the response body of the List API, the object does not contain any property like firewallState or encryptionState so that the Policy Rule will not be evaluated ever.
According to the confirmation of ADLS Gen 1 product group, this is by design. Considering that the ADLS Gen 1 is sunsetting, there is currently no plan to fix the gap(with GET REST API).
Workaround : We may consider using ADLS Gen2(latest version of Storage Account) for the long term. ADLS Gen2 REST API which is actually the latest version of Azure Storage Service can be evaluated by following policy rule:
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Storage/StorageAccounts"
}, {
"field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
"equals": "true"
}
]
},
"then": {
"effect": "audit"
}
}
}
Thanks @Manikanta for the sharing the support ticket number. Sharing the resolution for the benefit of broader community.