Hello,
We have a policy with "Deny" effect when the newly created RG(resource group) doesn't have specific tag.
Policy works fine when we try to create resources from arm/tf/portal (still the same api), but when we create the organization from Azure DevOps then it is created as a part of new RG in specific subscription.
The newly created RG doesn't have required tag, but everything completes correctly, and the new organization + rg have been created.
The policy works for a long time, and already caught a couple of events but when Azure DevOps does the thing then the policy is ignored.
I tried to check the docs but there's no information regarding some possible exceptions for policy effects.
Have you heard about something similar?
I'm aware that it's possible to create the azure devops organization through az cli but no none will do it because the Azure DevOps UI gives a lot of benefits, and it's much more user friendly
(it's interesting that there's no AzureDevOps API that allows to create organization).
One more item, we have an analogic case during the creation of VMs by Azure DataBricks with policy to deny creation of VM if the SKU is out of the list, but same situation, policy doesn't deny the action, and VMs have been created.
For me it looks like similar cases, and I want to have your confirmation that there're some exceptions, and in fact we can do nothing with it :)