Description
Description
Policy definition format of 1.0.0 is not recognized as a valid version when trying to assign the policy with an explicit version.
Policy Definition
{ "properties": { "displayName": "GuardRails cannot delete lock to specific resources", "policyType": "Custom", "mode": "Indexed", "description": "With this policy: any resource that has the tag key LockLevel with the value CanNotDelete means authorized users can read and modify the resource, but they can not delete it.", "metadata": { "category": "GuardRails", "createdBy": "7cd95a03-6c7e-44fc-b1c1-27b220e89d60", "createdOn": "2025-05-23T04:43:38.0173451Z", "updatedBy": "7cd95a03-6c7e-44fc-b1c1-27b220e89d60", "updatedOn": "2025-05-23T04:56:03.5125828Z" }, "version": "1.0.0", "parameters": { "tagValue": { "type": "string", "metadata": { "displayName": "Exclusion Tag Value", "description": "Value of the tag to use for excluding resources from this policy. This should be used along with the Exclusion Tag Name parameter." }, "defaultValue": "exclude" }, "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" }, "allowedValues": [ "DeployIfNotExists", "AuditIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" }, "tagName": { "type": "string", "metadata": { "displayName": "Exclusion Tag Name", "description": "Name of the tag to use for excluding resources from this policy. This should be used along with the Exclusion Tag Value parameter." }, "defaultValue": "GuardRailsPolicyExclusion" } }, "policyRule": { "then": { "effect": "[parameters('effect')]", "details": { "deployment": { "properties": { "template": { "parameters": { "resourceType": { "type": "string" }, "resourceName": { "type": "string" } }, "resources": [ { "scope": "[concat(parameters('resourceType'),'/', parameters('resourceName'))]", "properties": { "level": "CanNotDelete", "notes": "Locked by Azure Policy" }, "name": "ResourceLockedByPolicy", "apiVersion": "2016-09-01", "type": "Microsoft.Authorization/locks" } ], "outputs": {}, "contentVersion": "1.0.0.0", "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "variables": {} }, "parameters": { "resourceType": { "value": "[field('type')]" }, "resourceName": { "value": "[field('name')]" } }, "mode": "incremental" } }, "existenceCondition": { "allOf": [ { "In": [ "CanNotDelete" ], "field": "Microsoft.Authorization/locks/level" }, { "equals": "Locked by Azure Policy", "field": "Microsoft.Authorization/locks/notes" } ] }, "name": "ResourceLockedByPolicy", "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" ], "type": "Microsoft.Authorization/locks" } }, "if": { "allOf": [ { "equals": "CanNotDelete", "field": "tags.LockLevel" }, { "equals": 2, "value": "[length(split(field('type'),'/'))]" }, { "not": { "equals": "[parameters('tagValue')]", "field": "[concat('tags[',parameters('tagName'), ']')]" } } ] } }, "versions": [ "1.0.0" ] }, "id": "/subscriptions/2b588cd5-c197-48e2-b2d8-8facc009833b/providers/Microsoft.Authorization/policyDefinitions/GuardRails-CanNotDeleteLock", "type": "Microsoft.Authorization/policyDefinitions", "name": "GuardRails-CanNotDeleteLock", "systemData": { "createdBy": "romikov@gmail.com", "createdByType": "User", "createdAt": "2025-05-23T04:43:37.9909707Z", "lastModifiedBy": "romikov@gmail.com", "lastModifiedByType": "User", "lastModifiedAt": "2025-05-23T04:56:03.4774832Z" } }
Issue script & Debug output
`New-AzPolicyDefinition -Name $policyBaseName -DisplayName $policyDisplayName -Policy $policyDefinitionPath -SubscriptionId $subscriptionId -Metadata $metadata -ErrorAction Stop
$policy = Get-AzPolicyDefinition -Name $policyBaseName -ErrorAction Stop
New-AzPolicyAssignment -Name $policyBaseName -DisplayName $policyDisplayName -Scope $scope -PolicyDefinition $policy -IdentityType "SystemAssigned" -Location "australiaeast" -DefinitionVersion $policyVersion -ErrorAction Stop`
`New-AzPolicyAssignment_CreateExpanded : The policy resource 'GuardRails-CanNotDeleteLock' has invalid properties. The following
definition version references are not valid: '1.0.0'. Version references have the form '{major}.{minor|*}[.*][-preview]' where each
segment is a number without leading zeros or an asterisk. The major version number must be greater than zero.
At D:\Romiko\Documents\WindowsPowerShell\Modules\Az.Resources\8.0.0\Policy.Autorest\custom\New-AzPolicyAssignment.ps1:435 char:19
+ $scriptCmd = {& $wrappedCmd @calledParameters}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ }:<>f__AnonymousType1) [New-AzPolicyAssignment_CreateExpanded], Exception
+ FullyQualifiedErrorId : InvalidCreatePolicyAssignmentRequest,Microsoft.Azure.PowerShell.Cmdlets.Policy.Cmdlets.NewAzPolicyAss
ignment_CreateExpanded`
Environment data
Name Value
---- -----
PSVersion 5.1.26100.4061
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.26100.4061
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 5.0.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script 1.7.1 Az.PolicyInsights {Get-AzPolicyAttestation, Get-AzPolicyEvent, Get-AzPolicyMetadata, Get-...
Script 8.0.0 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, G...
Activity