Problem
When a subscription has an Azure Policy that denies resources with local authentication enabled (e.g., disableLocalAuth must be true), azd provision fails at deploy time with a cryptic RequestDisallowedByPolicy error:
Deployment Error Details:
InvalidTemplateDeployment: The template deployment failed because of policy violation.
RequestDisallowedByPolicy: Resource 'stdagcewyyviu73h' was disallowed by policy.
Reasons: 'This request was denied due to internal policy. Local authentication methods
are not allowed.'
Users get no prior warning before the (often long) deployment attempt.
Proposal
Add a local preflight check that:
- Lists Azure Policy assignments on the target subscription
- Fetches policy definitions and inspects
policyRule for disableLocalAuth-related deny conditions
- Cross-references the target resource types against the Bicep snapshot resources
- Reports a warning if any template resource has
disableLocalAuth: false or missing while a deny policy requires it
This fits naturally into the existing preflight infrastructure (local_preflight.go + PreflightCheckFn).
Scope
- New
PolicyService in pkg/azapi/ using the armpolicy Azure SDK
- Lightweight parser for policy rule conditions (focused on
disableLocalAuth field patterns)
- New preflight check function registered in
bicep_provider.go
- Warning-level only (not blocking) since we cannot evaluate exemptions or complex conditions
Limitations (acceptable for a warning)
- Cannot evaluate complex nested policy conditions (tags, locations, etc.)
- Cannot check policy exemptions
- Parameterized effects need resolution from assignment parameters
- Policy initiatives (sets) need an extra level of resolution
Problem
When a subscription has an Azure Policy that denies resources with local authentication enabled (e.g.,
disableLocalAuthmust betrue),azd provisionfails at deploy time with a crypticRequestDisallowedByPolicyerror:Users get no prior warning before the (often long) deployment attempt.
Proposal
Add a local preflight check that:
policyRulefordisableLocalAuth-related deny conditionsdisableLocalAuth: falseor missing while a deny policy requires itThis fits naturally into the existing preflight infrastructure (
local_preflight.go+PreflightCheckFn).Scope
PolicyServiceinpkg/azapi/using thearmpolicyAzure SDKdisableLocalAuthfield patterns)bicep_provider.goLimitations (acceptable for a warning)