![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 64%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
939 questions
Hi,
You can deny the installation of specific VM extension as the Entra ID extension via policy: Windows and Linux. Note that when you apply the policy you also will not be able to create those extensions. This is due to Azure Policy sits on the ARM layer and policies apply to anyone doing changes no matter if it is from Portal, CLI, PowerShell, etc. or whatever account it has. In order to remediate them manually you will have to first create exclusions, install the extension and at the end either leave the exclusions or remove them. Overall it is unclear what you want to achieve exactly. It is unusual to want something to be blocked so it can be applied later.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)