Share via

The deny settings should only include valid guids as Excluded Principals

Nadia Hansen 5 Reputation points
2025-02-17T07:28:37.2266667+00:00

I’ve deployed deployment stacks across multiple subscriptions and included a principal in the denySettingsExcludedPrincipals parameter to exclude it from the deny assignment.

Everything was working fine for two weeks, but now it’s not functioning consistently. Deployment works for some stacks, but fails for others, even though I’m excluding the same principal. The failures are random and not consistent across the same stacks each time. This issue started two days ago.

please help

41 | New-AzManagementGroupDeploymentStack @splat -Force
 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 | 06:59:58 - Error: Code=DeploymentStackInvalidDeploymentStackDefinition;
 | Message=The deployment stack is invalid. The deny settings should only
 | include valid guids as Excluded Principals
Azure Resource Mover
Azure Resource Mover
An Azure service used for moving multiple resources between Azure regions.
257 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Madugula Jahnavi 0 Reputation points Microsoft Vendor
    2025-02-19T07:00:26.49+00:00

    Hi Nadia Hansen,

    Everything was working fine for two weeks, but now it’s not functioning consistently.

    For the above error or conflict, it is possible that there might be some changes performed on the stack deployed resources.

    But coming to the error message saying that the "Deny settings should only include valid exclude principal Ids" , it is possible that either of the excluded principal ids format is not valid as per the defined pattern.

    In order to check it, firstly you can define an array of principal ids to be excluded in an array as shown below.

    $excludedids = @(                                                                                                            
     "e24xxx0e5387c7",
     "36df4f88-3b42-4c41-85b1-91aa5c55e607",
     "Jahnavi-id",
     "aklsjd",
     "----id"
 )

    Now, write a PowerShell function to store all the valid guids into one array for further execution.

    function Validateid {                                                                                                        
     param (                               
         [string[]]$excludedids                     
     )           
     $validids = @()
     $idPattern = '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$'
 
     foreach ($id in $excludedids) {
         if ($id -match $idPattern) {
     $validids += $id
         }
     }
 return $validids
 }

    Once it is done, pass the $validids array along with the -DenySettingsExcludedPrincipal argument as shown in the below way.

    New-AzManagementGroupDeploymentStack -Name "newmgdep" -ManagementGroupId 9xxxd -DeploymentSubscriptionId fxxxx0 -TemplateFile template.bicep -Location eastus -DenySettingsExcludedPrincipal $validids

    denyimage

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.