Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
537 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 18%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGG%3C/text%3E%3C/svg%3E)
Hi @Nikhil Raj
Thanks for the question and using MS Q&A forum.
To identify the Azure policy that is blocking your operation, you can query the Azure Activity Log using Azure Data Explorer (ADX) or Kusto Query Language (KQL). Azure Activity Logs can provide insights into policy evaluations and their outcomes.
Here's how you can frame a Kusto query to find the deny policy:
You might need to configure diagnostic settings to send Activity Logs to a Log Analytics workspace, which can then be queried using KQL.
Use the following Kusto query to search for deny actions related to your Azure Purview account:
// Change 'YourLogAnalyticsWorkspace' to the name of your Log Analytics workspace
let startTime = ago(1d); // Adjust the time range as needed
let endTime = now();
let resourceId = "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Purview/accounts/<purview-account-name>";
ActivityLogs
| where TimeGenerated between (startTime .. endTime)
| where ResourceId == resourceId
| where OperationNameValue == "Microsoft.Authorization/policies/audit/action"
| where StatusValue == "Deny"
| project TimeGenerated, ResourceId, OperationNameValue, StatusValue, Properties
| extend PolicyDetails=parse_json(Properties)
| project TimeGenerated, ResourceId, OperationNameValue, StatusValue, PolicyDetails.PolicyAssignmentName, PolicyDetails.PolicyDefinitionName, PolicyDetails.PolicyDefinitionId, PolicyDetails.PolicyAssignmentId
| order by TimeGenerated desc
- Replace the parameters:
<subscription-id>: Your Azure subscription ID,<resource-group-name>: The resource group containing your Azure Purview account,<purview-account-name>: The name of your Azure Purview account. - The query filters the Activity Logs for the specified resource (your Purview account). It looks for operations related to policy audits and specifically those with a "Deny" status. It extracts relevant details about the policy assignment and definition that caused the deny action.
- Run the query in Azure Data Explorer or Log Analytics workspace: Navigate to your Log Analytics workspace in the Azure portal, Open Logs under General settings, Paste the query and run it to get the results.
- The output will provide you with the details of the policy assignment and definition, including names and IDs, which can help you identify the specific policy causing the issue.
By running this query, you should be able to identify the deny policy that is blocking your Terraform operation. Once identified, you can review and modify the policy as necessary to allow the desired operation.
For more details refer to this: https://learn.microsoft.com/en-us/purview/register-scan-azure-multiple-sources#policies
https://learn.microsoft.com/en-us/purview/register-scan-azure-multiple-sources#policies
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click `Accept Answer` and `Yes` for was this answer helpful. And, if you have any further query do let us know.