Azure Policy - No related resources match the effect details in the policy definition. (Error code: BadRequest)

Azure Policy - No related resources match the effect details in the policy definition. (Error code: BadRequest)

Photo by Jake Walker on Unsplash

On my Azure subscriptions, I've been using Azure Policy to apply policies and help to secure the resources in those subscriptions. However, I had encountered this error on 2 policies, namely:

  • Windows Defender Exploit Guard should be enabled on your machines
  • Windows web servers should be configured to use secure communication protocols

I found the error message in the policies' page and then selecting the error message under 'Compliance reason'.

image.png

As per the compliance details page, it wasn't clear what the reason for the error was and how to remediate it. Also, it wasn't clear how Microsoft Guest Configuration was checking and reporting its status to Azure Policy.

image.png

After a couple days of troubleshooting and scouring the Internet, I raised a ticket with Microsoft Support. And after more troubleshooting with them, we managed to figure out the root cause: Microsoft.GuestConfiguration was not registered as a Resource Provider in the subscription...

image.png

Once Microsoft.GuestConfiguration was registered as a Resource Provider, triggering a compliance scan and waiting for the compliance scan to finish, the compliance reason will be updated to one of the following values:

  • Compliant: The resource meets the compliance requirements fully.
  • NoComplianceReport: The resource does not have a compliance report even after the scan was completed.
    • I noticed this reason appears on Virtual Machines (VMs) with Microsoft Guest Configuration extension installed but the VM is powered off. Powering on the VM and triggering the compliance scan again would update this value.
  • Details: Select the value to view more details on reason for non-compliance.
    • In my scenario for policy 'Windows Defender Exploit Guard should be enabled on your machines', I got this non-compliance reason "Current value must be equal to the target value.". This is expected as I had not deploy the registry changes to the non-compliant VM.

In another post, I will write about how to debug deeper to understand the error codes and reasons for non-compliant resources on Azure.

If you like what I wrote, please support me here! %%[ko-fi]

Did you find this article valuable?

Support Nyan Fu Keong by becoming a sponsor. Any amount is appreciated!