Search code examples

Deny users from creating a vms with public ip addresses

I am trying to deny users from creating a vms with public ip addresses.

I am getting the following error - value not accepted on this - "field": "Microsoft.Network/",

  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
         "field": "type",
         "equals": "Microsoft.Network/publicIPAddresses"
          "not": {
           "field": "Microsoft.Network/",
           "exists": "true"
    "then": {
      "effect": "deny"
  "parameters": {}


  • Deny users from creating a vms with public ip addresses

    The policy you are using will deny any resource with a public IP, and the field in policy also is not correct.

    "field": "Microsoft.Network/",

    Here is the correct field:


    Here is the updated policy to deny users from creating a VMS with public ip addresses.

      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachineScaleSets"
              "not": {
                "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].publicIPAddressConfiguration",
                "exists": "false"
        "then": {
          "effect": "deny"
      "parameters": {}

    After assigning the policy to the specified scope, it denies the creation of VMS with public IPs, as shown below.

    enter image description here