Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
Azure Policy to Auto Associate Resources to NSP
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 42%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Tapasya Sharma
0
Reputation points Microsoft Employee
I have a created an Azure Policy to Auto Associate Resources to NSP in Enforced mode once any new resources are created in my subscription. However, upon assigning this policy to my subscription all my resources are non-compliant, and new resources I create are not compliant by the policy either by auto-associating. I created a remediation task with and without 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance. However, I continue to get this error saying there is no evaluation from the policy. Could you please help identify the issue here and correct it to auto associate any resources in enforced mode?
Expected behaviour:
Is to auto associate any new resources created to PPE NSP in enforced mode and pass compliance with existing resources by remediating.
Existing behaviour:
- Unable to auto associate any new resources created
- Unable to pass compliance even though existing resource association to NSP exists
- Remediation tasks fail even 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'
- NoPolicyEvaluationResult deployment error received
Policy definition:
"properties": {
"displayName": "Auto-Associate-Resources-To-NSP",
"policyType": "Custom",
"mode": "Indexed",
"description": "",
"metadata": {
"category": "Network-Security-Perimeter",
"createdBy": "7e4f6cdd-81b5-4b29-b6e1-dff1cea96b93",
"createdOn": "2026-02-26T20:37:44.8507596Z",
"updatedBy": "7e4f6cdd-81b5-4b29-b6e1-dff1cea96b93",
"updatedOn": "2026-02-27T23:16:24.6740823Z"
},
"version": "1.0.0",
"policyRule": {
"if": {
"field": "type",
"in": [
"Microsoft.Storage/storageAccounts",
"Microsoft.KeyVault/vaults",
"Microsoft.DocumentDB/databaseAccounts"
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations",
"resourceGroupName": "MOR-PME-PPE",
"existenceCondition": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations"
},
{
"field": "name",
"equals": "[concat('nsp-OrganizationMasterNSP-PPE/', field('name'), '_association')]"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string"
},
"resourceId": {
"type": "string"
},
"resourceType": {
"type": "string"
},
"baseName": {
"type": "string"
},
"environment": {
"type": "string"
},
"resourceGroup": {
"type": "string"
},
"location": {
"type": "string"
}
},
"variables": {
"nspName": "[concat('nsp-', parameters('baseName'), '-', parameters('environment'))]",
"profileName": "[if(equals(parameters('resourceType'), 'Microsoft.Storage/storageAccounts'), 'StoragePPEProfile', if(equals(parameters('resourceType'), 'Microsoft.KeyVault/vaults'), 'KVPPEProfile', 'CosmosPPEProfile'))]",
"associationName": "[concat('nsp-', parameters('baseName'), '-', parameters('environment'), '/', parameters('resourceName'), '_association')]"
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations",
"apiVersion": "2024-06-01-preview",
"name": "[variables('associationName')]",
"location": "[parameters('location')]",
"properties": {
"profile": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('resourceGroup'), '/providers/Microsoft.Network/networkSecurityPerimeters/', variables('nspName'), '/profiles/', variables('profileName'))]"
},
"accessMode": "Enforced",
"privateLinkResource": {
"id": "[parameters('resourceId')]"
}
}
}
]
},
"parameters": {
"resourceName": {
"value": "[field('name')]"
},
"resourceId": {
"value": "[field('id')]"
},
"resourceType": {
"value": "[field('type')]"
},
"baseName": {
"value": "OrganizationMasterNSP"
},
"environment": {
"value": "PPE"
},
"resourceGroup": {
"value": "MOR-PME-PPE"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
},
"versions": [
"1.0.0"
]
},
Deployment error:
Azure Policy
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Suchitra Suregaunkar 9,270 Reputation points Microsoft External Staff Moderator2026-03-03T01:27:55.79+00:00 Hello Tapasya Sharma
Thanks for sharing the screenshot.
Error code:
NoPolicyEvaluationResultThis error occurs when you try to run Policy Remediation, but Azure Policy has no current compliance evaluation data for the targeted resources.
Remediation can only run on resources that already have a compliance state. If no evaluation result exists, remediation fails.
One or more of the following is true for the error that you got:
1. Policy was recently created, updated, or reassigned
- Compliance scan hasn’t run yet.
2. Policy exclusions or scope were changed
- Old compliance data became invalid.
- Resources were created before the policy existed
- They were never evaluated.
- Compliance data was cleared or expired
- Happens after policy definition/assignment changes.
As a resolution you must force a policy compliance re‑evaluation first, then rerun remediation.
Option 1: Re‑evaluate compliance (Portal – Recommended)
- Go to Azure Portal
- Navigate to Azure Policy
- Select Compliance
- Click Re-evaluate compliance
- Wait until the policy shows a Non-compliant or Compliant state
- Retry Remediation
Option 2: Re‑evaluate compliance using CLI command,
az policy state trigger-scanThen rerun the remediation once compliance data appears.
Option 3: Delete and recreate remediation task
If re‑evaluation does not help:
- Delete the existing remediation task
- Ensure the policy assignment still exists and scope is correct
- Trigger Re-evaluate compliance
- Create a new remediation task
Remediation cannot create compliance data, Compliance must exist before remediation, Compliance evaluation is not instantaneous. Any change to policy definition, scope, or exclusions invalidates prior results.
Thanks,
Suchitra. -
Suchitra Suregaunkar 9,270 Reputation points Microsoft External Staff Moderator
2026-03-03T21:24:42.07+00:00 Hello @Tapasya Sharma I hope the details shared above helped in addressing your concern. If the suggested resolution resolved the issue, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future. If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.
Thanks, Suchitra.
-
Tapasya Sharma 0 Reputation points Microsoft Employee
2026-03-04T18:19:00.82+00:00 Hi @Suchitra Suregaunkar so I had already tried re-evaluating compliance and creating a new remediation task however that did not work as mentioned in my initial post too. Please let me know how can I debug it further, thanks!
-
Suchitra Suregaunkar 9,270 Reputation points Microsoft External Staff Moderator
2026-03-04T19:04:21.03+00:00 Hello @Tapasya Sharma @Tapasya Sharma
The issue is not with remediation tasks or
ResourceDiscoveryMode. The root cause is an incorrectexistenceConditionimplementation in thedeployIfNotExistspolicy.Because the
existenceConditionnever evaluates to true, Azure Policy:- Marks all resources as non‑compliant
- Never finds a valid policy evaluation result
- Causes remediation tasks to fail with
NoPolicyEvaluationResult - Does not auto‑associate new resources to the NSP
This behavior is expected when
existenceConditiondoes not correctly match the related resource.Your policy checks this condition:
{ "field": "name", "equals": "[concat('nsp-OrganizationMasterNSP-PPE/', field('name'), '_association')]" }This is invalid for
deployIfNotExistsbecause:-
existenceConditionis evaluated against the related resource -
field('name')insideexistenceConditionrefers to the resourceAssociation, not the original Storage / Key Vault / Cosmos DB resource - NSP resource association names are system‑generated and not guaranteed to match this constructed value
As a result, Azure Policy never detects an existing association, even when one exists.
Supported Way to Validate NSP Association:
deployIfNotExistsshould validate properties of the related resource, not its constructed name.For Network Security Perimeter associations, Microsoft exposes policy aliases that must be used.
Correct Existence Check which is supported:
Validate:
- The association points to the evaluated resource
- The access mode is
Enforced
"existenceCondition": { "allOf": [ { "field": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations/privateLinkResource.id", "equals": "[field('id')]" }, { "field": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations/accessMode", "equals": "Enforced" } ] }Update the policy to use property‑based existenceCondition
Re‑assign the policy (or trigger re‑evaluation)
Run remediation for existing resources
Validate via Policy Compliance → Compliance Details
Reference: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists
Azure Policy aliases for NSP resource associations confirms supported fields like privateLinkResource.id and accessMode:
https://policyalias.mats.codes/Microsoft.Network/networkSecurityPerimeters-resourceAssociations/
Network Security Perimeter – Resource Associations schema:
Thanks,
Suchitra. -
Suchitra Suregaunkar 9,270 Reputation points Microsoft External Staff Moderator
2026-03-05T20:02:48.34+00:00 Hello @Tapasya Sharma @Tapasya Sharma
Kindly let us know if the solution provided worked for you.
If you need any further assistance, please feel free to reach out.
If you found the comment helpful, please consider clicking "Upvote it".
Thanks,
Suchitra. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBY%3C/text%3E%3C/svg%3E)
Bharath Y P 5,800 Reputation points Microsoft External Staff Moderator2026-03-06T14:23:08.06+00:00 Hello Tapasya Sharma, If you updated the policy definition, reassigned it, and created a new resource but it still doesn’t work, the next step is to confirm whether Azure Policy is evaluating the resource at all. The
NoPolicyEvaluationResulterror almost always means the resource never matched the policy rule, so Azure Policy never produced a compliance record.There may be some structural changes required, which could be the reason you’re seeing the
NoPolicyEvaluationResulterror and why new resources aren’t being auto‑associated.Policy Mode change:
Your policy uses:
"mode": "Indexed"Indexed mode only evaluates resources that support tags and location indexing, and many network or child resources used by NSP policies are not evaluated in this mode.
Because of this Azure Policy never evaluates your rule, no compliance record is generated and Remediation shows
NoPolicyEvaluationResult.You can modify to:
"mode": "All"and then reassign the policy.Modify existenceCondition:
Your existence condition checks the name:
{ "field": "name", "equals": "[concat('nsp-OrganizationMasterNSP-PPE/', field('name'), '_association')]" }This is not reliable for
DeployIfNotExistsbecause Azure Policy evaluates existence by resource properties, not by constructed names. If the name does not match exactly, policy thinks the resource does not exist, but at the same time evaluation may fail.Also, checking:
{ "field": "type", "equals": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations" }It seems inside
existenceConditionis unnecessary.Instead check the associated resource id:
"existenceCondition": { "field": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations/privateLinkResource.id", "equals": "[field('id')]" }This confirms the resource is already associated to the NSP.
Missing existenceScope: Because the association resource is in a different resource group (MOR-PME-PPE), Azure Policy may not find it during evaluation.
Your policy currently only has:
"resourceGroupName": "MOR-PME-PPE"But DeployIfNotExists also needs
existenceScope. To fix this you can addexistenceScope"existenceScope": "resourceGroup"Policy Might Not Re-Evaluate New Resources Immediately. Even after fixing the policy, the policy evaluation runs every ~30 minutes.
DeployIfNotExistsruns after evaluationYou can trigger it manually and Wait 10–15 minutes.
az policy state trigger-scan --subscription <subscription-id>Hope this helps! Thanks
-
Tapasya Sharma 0 Reputation points Microsoft Employee
2026-03-10T02:50:14.6733333+00:00 Hi @Suchitra Suregaunkar @Bharath Y P Thank you for the suggestions. I incorporated them and created a new JSON which has been shared with Suchitra over chat. However, I received the same error code after modifying the JSON. Could you please help identify the issue? Thank you.
-
Suchitra Suregaunkar 9,270 Reputation points Microsoft External Staff Moderator
2026-03-11T04:31:41.8733333+00:00 Hello Tapasya Sharma, Sure, we are looking this issue and will keep you posted updates.
Sign in to comment
Sign in to answer