Not getting the excludedActions on an Azure Bluerprint to work

Erwin Staal 6 Reputation points MVP
2021-03-23T10:26:34.58+00:00

Hi all,

I'm deploying a Blueprint that contains a Recovery Services Vault. That Blueprint gets the read only lock. Now I want others, who are contributor on the particular resource group, to be able to still add a machine to that Recovery Services Vault. I therefore added the following action to the list of excludedActions on the blueprint: 'Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write' like so:

    "locks": { 
      "mode": "AllResourcesReadOnly", 
      "excludedActions": [ 
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write" 
      ] 
    } 

I however still get the error message saying that the deny assignment is blocking me from doing that. Nor do I see the above action in the deny assignment on the resource group as an exclusion.

Redacted error:

The client ‘<me>’ with object id '' has permission to perform action 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/write' on scope '/subscriptions/<sub>/resourcegroups/<group>/providers/Microsoft.RecoveryServices/vaults/<VaultName>/backupFabrics/Azure/protectionContainers/<item>/protectedItems/<item>’; however, the access is denied because of the deny assignment with name 'Deny assignment ‘<assignmentId>’ created by Blueprint Assignment '/providers/Microsoft.Management/managementGroups/<group>/providers/Microsoft.Blueprint/blueprintAssignments/<sub>-LockedBlueprintAssignment'.' and Id ‘<assignmentId>’ at scope '/subscriptions/<subId>/resourceGroups/<group>/providers/Microsoft.RecoveryServices/vaults/<vaultName>’.

Azure Blueprints
Azure Blueprints

An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.


1 answer

Sort by: Most helpful
  1. Torrey Trahanovsky 0 Reputation points Microsoft Employee
    2026-06-29T21:14:05.8966667+00:00

    For blueprint resource locks, the carve-outs go in the assignment's locks object via

    excludedPrincipals (and, where supported, excludedActions). A read-only lock blocks write

    actions for everyone except the excluded principals, so to let contributors add a VM/item to a

    Recovery Services Vault you generally need to exclude those principals on the lock - excludedActions

    alone often won't grant the management-plane calls. See the resource-locking concept docs for the

    exact lock schema. Forward-looking: Deployment Stacks "deny settings" provide the same capability

    via denySettingsExcludedPrincipals / denySettingsExcludedActions.


    Heads-up: Azure Blueprints (Preview) is being retired on January 31, 2027, with a phased

    retirement beginning July 31, 2026 (no new definitions/versions after Jul 31, 2026; no

    definition edits or new assignments after Oct 31, 2026; no assignment edits after Dec 31, 2026).

    Resources already deployed remain, but blueprint definitions, assignments, and locks (deny

    assignments) are removed at retirement - export anything you want to keep first.

    Recommended path: migrate to Azure Deployment Stacks (resource grouping, lifecycle management,

    and deny-assignment locking) plus Template Specs for versioned storage.

    • Retirement & timeline: https://aka.ms/AzureBlueprintsRetirement

    • Migration guide: https://aka.ms/AzureBlueprintsMigration

    • FAQ: https://aka.ms/AzureBlueprintsRetirementFAQ

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.