Not getting the excludedActions on an Azure Bluerprint to work
Hi all,
I'm deploying a Blueprint that contains a Recovery Services Vault. That Blueprint gets the read only lock. Now I want others, who are contributor on the particular resource group, to be able to still add a machine to that Recovery Services Vault. I therefore added the following action to the list of excludedActions on the blueprint: 'Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write' like so:
"locks": {
"mode": "AllResourcesReadOnly",
"excludedActions": [
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write"
]
}
I however still get the error message saying that the deny assignment is blocking me from doing that. Nor do I see the above action in the deny assignment on the resource group as an exclusion.
Redacted error:
The client ‘<me>’ with object id '' has permission to perform action 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/write' on scope '/subscriptions/<sub>/resourcegroups/<group>/providers/Microsoft.RecoveryServices/vaults/<VaultName>/backupFabrics/Azure/protectionContainers/<item>/protectedItems/<item>’; however, the access is denied because of the deny assignment with name 'Deny assignment ‘<assignmentId>’ created by Blueprint Assignment '/providers/Microsoft.Management/managementGroups/<group>/providers/Microsoft.Blueprint/blueprintAssignments/<sub>-LockedBlueprintAssignment'.' and Id ‘<assignmentId>’ at scope '/subscriptions/<subId>/resourceGroups/<group>/providers/Microsoft.RecoveryServices/vaults/<vaultName>’.