I am facing an issue with Azure Policy.

Question

I am trying to enforce a tag on all my VMs. I have created a policy definition with a modify effect that adds the tag env with a value of prod if its missing. The policy assignment is at the subscription level. New VMs are getting tagged correctly, which is right. However, when I try to remediate existing VMs, some of them fail remediation with the error "Resource 'Microsoft.Compute/virtualMachines/<vm-name>' is not in a state that allows modifications." I have checked the VMs, and they are all running. I can manually add the tag to them without any issues. What could be causing this, and how can I fix it?

Answer 1

Hi Sirish,

Thanks for posting your query!

The error "Resource 'Microsoft.Compute/virtualMachines/' is not in a state that allows modifications" usually indicates that the VM is in a state that prevents modifications. Common causes include VM extensions being updated, resource locks, or pending operations.

Solutions:

1. Check and wait for any VM extensions to complete their updates.
2. Remove any resource locks using az lock list --resource-group <rg>.
3. Ensure no pending operations are affecting the VM by reviewing the activity log.
4. If the VM is part of a scale set, modify the scale set properties instead.

By addressing these factors, you should be able to remediate the VMs successfully.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.