Skip to content

New-AzPolicyAssignment - Version references have the form '{major}.{minor|*}[.*][-preview]' #27831

Open
@Romiko

Description

@Romiko

Description

Policy definition format of 1.0.0 is not recognized as a valid version when trying to assign the policy with an explicit version.

Policy Definition
{ "properties": { "displayName": "GuardRails cannot delete lock to specific resources", "policyType": "Custom", "mode": "Indexed", "description": "With this policy: any resource that has the tag key LockLevel with the value CanNotDelete means authorized users can read and modify the resource, but they can not delete it.", "metadata": { "category": "GuardRails", "createdBy": "7cd95a03-6c7e-44fc-b1c1-27b220e89d60", "createdOn": "2025-05-23T04:43:38.0173451Z", "updatedBy": "7cd95a03-6c7e-44fc-b1c1-27b220e89d60", "updatedOn": "2025-05-23T04:56:03.5125828Z" }, "version": "1.0.0", "parameters": { "tagValue": { "type": "string", "metadata": { "displayName": "Exclusion Tag Value", "description": "Value of the tag to use for excluding resources from this policy. This should be used along with the Exclusion Tag Name parameter." }, "defaultValue": "exclude" }, "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" }, "allowedValues": [ "DeployIfNotExists", "AuditIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" }, "tagName": { "type": "string", "metadata": { "displayName": "Exclusion Tag Name", "description": "Name of the tag to use for excluding resources from this policy. This should be used along with the Exclusion Tag Value parameter." }, "defaultValue": "GuardRailsPolicyExclusion" } }, "policyRule": { "then": { "effect": "[parameters('effect')]", "details": { "deployment": { "properties": { "template": { "parameters": { "resourceType": { "type": "string" }, "resourceName": { "type": "string" } }, "resources": [ { "scope": "[concat(parameters('resourceType'),'/', parameters('resourceName'))]", "properties": { "level": "CanNotDelete", "notes": "Locked by Azure Policy" }, "name": "ResourceLockedByPolicy", "apiVersion": "2016-09-01", "type": "Microsoft.Authorization/locks" } ], "outputs": {}, "contentVersion": "1.0.0.0", "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "variables": {} }, "parameters": { "resourceType": { "value": "[field('type')]" }, "resourceName": { "value": "[field('name')]" } }, "mode": "incremental" } }, "existenceCondition": { "allOf": [ { "In": [ "CanNotDelete" ], "field": "Microsoft.Authorization/locks/level" }, { "equals": "Locked by Azure Policy", "field": "Microsoft.Authorization/locks/notes" } ] }, "name": "ResourceLockedByPolicy", "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" ], "type": "Microsoft.Authorization/locks" } }, "if": { "allOf": [ { "equals": "CanNotDelete", "field": "tags.LockLevel" }, { "equals": 2, "value": "[length(split(field('type'),'/'))]" }, { "not": { "equals": "[parameters('tagValue')]", "field": "[concat('tags[',parameters('tagName'), ']')]" } } ] } }, "versions": [ "1.0.0" ] }, "id": "/subscriptions/2b588cd5-c197-48e2-b2d8-8facc009833b/providers/Microsoft.Authorization/policyDefinitions/GuardRails-CanNotDeleteLock", "type": "Microsoft.Authorization/policyDefinitions", "name": "GuardRails-CanNotDeleteLock", "systemData": { "createdBy": "romikov@gmail.com", "createdByType": "User", "createdAt": "2025-05-23T04:43:37.9909707Z", "lastModifiedBy": "romikov@gmail.com", "lastModifiedByType": "User", "lastModifiedAt": "2025-05-23T04:56:03.4774832Z" } }

Issue script & Debug output

`New-AzPolicyDefinition -Name $policyBaseName -DisplayName $policyDisplayName -Policy $policyDefinitionPath -SubscriptionId $subscriptionId -Metadata $metadata -ErrorAction Stop
$policy = Get-AzPolicyDefinition -Name $policyBaseName -ErrorAction Stop

New-AzPolicyAssignment -Name $policyBaseName -DisplayName $policyDisplayName -Scope $scope -PolicyDefinition $policy -IdentityType "SystemAssigned" -Location "australiaeast" -DefinitionVersion $policyVersion -ErrorAction Stop`

`New-AzPolicyAssignment_CreateExpanded : The policy resource 'GuardRails-CanNotDeleteLock' has invalid properties. The following
definition version references are not valid: '1.0.0'. Version references have the form '{major}.{minor|*}[.*][-preview]' where each
segment is a number without leading zeros or an asterisk. The major version number must be greater than zero.
At D:\Romiko\Documents\WindowsPowerShell\Modules\Az.Resources\8.0.0\Policy.Autorest\custom\New-AzPolicyAssignment.ps1:435 char:19
+     $scriptCmd = {& $wrappedCmd @calledParameters}
+                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ }:<>f__AnonymousType1) [New-AzPolicyAssignment_CreateExpanded], Exception
    + FullyQualifiedErrorId : InvalidCreatePolicyAssignmentRequest,Microsoft.Azure.PowerShell.Cmdlets.Policy.Cmdlets.NewAzPolicyAss
   ignment_CreateExpanded`

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.26100.4061
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.4061
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     5.0.0      Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script     1.7.1      Az.PolicyInsights                   {Get-AzPolicyAttestation, Get-AzPolicyEvent, Get-AzPolicyMetadata, Get-...
Script     8.0.0      Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, G...

Error output

Activity

added
bugThis issue requires a change to an existing behavior in the product in order to be resolved.
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
on May 23, 2025
added
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
and removed
needs-triageThis is a new issue that needs to be triaged to the appropriate team.
on May 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedneeds-triageThis is a new issue that needs to be triaged to the appropriate team.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @Romiko

        Issue actions

          New-AzPolicyAssignment - Version references have the form '{major}.{minor|*}[.*][-preview]' · Issue #27831 · Azure/azure-powershell