Share via

Blob storage public access and TLS configuration on devtest labs creation

Geiger, Juefan 21 Reputation points
2021-11-04T09:11:57.677+00:00

Creating a devtest lab (portal) fails with:
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "RequestDisallowedByPolicy",
"message": "Resource 'atgwtest6963' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Storage accounts must have 'Allow Blob Public Access' set to Disabled\",\"id\":\"/providers/Microsoft.Management/managementGroups/fce03a5c-e0b4-46b6-914b-e8f6fa7c06c8/providers/Microsoft.Authorization/policyAssignments/6242fc9d53517d0ae6de20ab\"},\"policyDefinition\":{\"name\":\"Storage accounts must have 'Allow Blob Public Access' set to Disabled\",\"id\":\"/providers/Microsoft.Management/managementgroups/fce03a5c-e0b4-46b6-914b-e8f6fa7c06c8/providers/Microsoft.Authorization/policyDefinitions/fc6c4214-770e-ac65-4c05-7976594281cb\"}},{\"policyAssignment\":{\"name\":\"Storage accounts must use TLS Version 1.2 and above\",\"id\":\"/providers/Microsoft.Management/managementGroups/fce03a5c-e0b4-46b6-914b-e8f6fa7c06c8/providers/Microsoft.Authorization/policyAssignments/9c9f5e389f580b3fd1b1ba59\"},\"policyDefinition\":{\"name\":\"Storage accounts must use TLS Version 1.2 and above\",\"id\":\"/providers/Microsoft.Management/managementgroups/fce03a5c-e0b4-46b6-914b-e8f6fa7c06c8/providers/Microsoft.Authorization/policyDefinitions/e52bd9e7-9187-7cf5-ed95-6c22f8f706ef\"}}]'."
}
]
}

looks like the creation interferes with policy:
Storage accounts must have 'Allow Blob Public Access' set to Disabled
and
Storage accounts must use TLS Version 1.2 and above

Are Enable blob public access and TLS < 1.2 mandatory devtest labs?
if not, is it possible to spin up a devtest lab without breaking these policies?

thank you in advance,
Jüfan

Azure DevTest Labs
Azure DevTest Labs
An Azure service that is used for provisioning development and test environments.
282 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,055 questions
0 comments
Accepted answer
  1. deherman-MSFT 37,846 Reputation points Microsoft Employee
    2021-11-04T16:41:06.33+00:00

    @Geiger, Juefan Every lab created in Azure DevTest Labs is created with an associated Azure storage account. Unfortunately it does not appear possible to edit the configuration values of this storage account before it is created. You have an Azure Policy in place which requires the minimum TLS version of the storage account to be 1.2 and requires public access to be disabled. To workaround this issue you can temporarily disable this policy, create the lab, then edit the storage account settings.

    Hope this helps! I will be reaching out to the DevTest Labs service team with your issue, but cannot promise when or if storage account settings will be configurable. If you have further questions or issue please let me know.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.