This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Hello,
We have a policy with "Deny" effect when the newly created RG(resource group) doesn't have specific tag.
Policy works fine when we try to create resources from arm/tf/portal (still the same api), but when we create the organization from Azure DevOps then it is created as a part of new RG in specific subscription.
The newly created RG doesn't have required tag, but everything completes correctly, and the new organization + rg have been created.
The policy works for a long time, and already caught a couple of events but when Azure DevOps does the thing then the policy is ignored.
I tried to check the docs but there's no information regarding some possible exceptions for policy effects.
Have you heard about something similar?
I'm aware that it's possible to create the azure devops organization through az cli but no none will do it because the Azure DevOps UI gives a lot of benefits, and it's much more user friendly
(it's interesting that there's no AzureDevOps API that allows to create organization).
One more item, we have an analogic case during the creation of VMs by Azure DataBricks with policy to deny creation of VM if the SKU is out of the list, but same situation, policy doesn't deny the action, and VMs have been created.
For me it looks like similar cases, and I want to have your confirmation that there're some exceptions, and in fact we can do nothing with it :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 90%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
I just came across similar problem, using policy I'm trying to automatically assign sku.name tag on virtual machines created by Databricks.
Is there a workaround to include "managedby" resources in policy and do not allow them to be bypassed?
I found the answer regarding VMs created in scope of the Databricks:
https://github.com/Azure/azure-policy#optional-or-auto-generated-resource-property-that-bypasses-policy-evaluation
I believe very similar situation will be with AzureDevOps but I really want to have a confirmation :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 41%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
@Jakub Ramut , I am reviewing this query and will get back to you soon. I understand that the "deny" effect does not work in the above mentioned scenario. However, do you see these VMs and RG in non-compliant state after some time in Azure Policy?
@AnuragSingh-MSFT , Indeed, both resources (VMs and RG) are in non-compliant state after some time in Azure Policy. Looks like policy validation works but only during the GET operation (reading from policy blade), and the PUT/POST doesn't include policy validation.
@Jakub Ramut , I have the confirmation that the "managedby" resources (like the ones created by Azure Databricks or DevOps) bypass Policy evaluation.
Please let me know if you have any questions.
@AnuragSingh-MSFT , thanks for the confirmation.
Have a great day!