-
Received an error while following the guided lab for Creating an Azure Cosmos DB
updated 2 weeks, 1 day ago
2 Members
·
7
Posts
-
I’m currently following the guided lab for <b style=”font-family: inherit; font-size: inherit;”>Creating an Azure Cosmos DB for NoSQL account.
I followed all of the steps to the letter but when I hit “Review + Create”, my db keeps failing validation with the following errors:
Resource ‘sean-db’ was disallowed by policy. (Code: RequestDisallowedByPolicy, Policy(s): database-restriction-azure-lab-rg-KnZ
The client ‘td-azure-lab-KnZpiUgiaw4E@azurelabstutorialsdojo.onmicrosoft.com’ with object id ‘5f7b21a8-bbcc-48cd-995d-e0536886559d’ does not have authorization to perform action ‘Microsoft.Authorization/policyAssignments/read’ over scope ‘/subscriptions/02ab71f8-4a53-4bb4-af26-ead3a81c9750/resourceGroups/azure-lab-rg-KnZpiUgiaw4E/providers/Microsoft.Authorization/policyAssignments/region-restriction-azure-lab-rg-KnZpiUgiaw4E’ or the scope is invalid. If access was recently granted, please refresh your credentials.
Has anyone encountered these before? Should I take this up with Microsoft support or TutorialDojo?
-
Hello SeanC,
Thank you for bringing this to our attention.
We’ll check this on our end and will get back to you as soon as possible.
Regards,
JR @ Tutorials Dojo -
Hello SeanC,
We’ve tested the guided lab and weren’t able to replicate the issue. To help us confirm whether your configuration settings are correct, could you please share a screenshot of the Review + Create page? Specifically, we’d like to see the configuration details shown there along with the validation errors. This will allow us to verify your setup and identify if the policy enforcement is tied to a particular configuration choice.
We appreciate your patience as we work through this.
Regards,
JR @ Tutorials Dojo -
Hi JR, thank you for assisting me with this. Attached is the request screenshot of the Review + Create page you requested. I’m also including the full error. Please let me know if anything else is needed.
{
“code”: “InvalidTemplateDeployment”,
“message”: “The template deployment failed because of policy violation. Please see details for more information.”,
“details”: [
{
“code”: “RequestDisallowedByPolicy”,
“target”: “sean-db”,
“message”: “Resource ‘sean-db’ was disallowed by policy. Policy identifiers: ‘[{\”policyAssignment\”:{\”name\”:\”database-restriction-azure-lab-rg-KV3AMEMseJB8\”,\”id\”:\”/subscriptions/02ab71f8-4a53-4bb4-af26-ead3a81c9750/resourceGroups/azure-lab-rg-KV3AMEMseJB8/providers/Microsoft.Authorization/policyAssignments/database-restriction-azure-lab-rg-KV3AMEMseJB8\”},\”policyDefinition\”:{\”name\”:\”Allow only cost-effective database configurations for labs\”,\”id\”:\”/subscriptions/02ab71f8-4a53-4bb4-af26-ead3a81c9750/providers/Microsoft.Authorization/policyDefinitions/restrict-database-tiers-lab-shared\”,\”version\”:\”1.0.0\”}}]’.”,
“additionalInfo”: [
{
“type”: “PolicyViolation”,
“info”: {
“evaluationDetails”: {
“evaluatedExpressions”: [
{
“result”: “True”,
“expressionKind”: “Field”,
“expression”: “type”,
“path”: “type”,
“expressionValue”: “Microsoft.DocumentDb/databaseAccounts”,
“targetValue”: “Microsoft.DocumentDB/databaseAccounts”,
“operator”: “Equals”
},
{
“result”: “True”,
“expressionKind”: “Field”,
“expression”: “type”,
“path”: “type”,
“expressionValue”: “Microsoft.DocumentDb/databaseAccounts”,
“targetValue”: “Microsoft.DocumentDB/databaseAccounts”,
“operator”: “Equals”
},
{
“result”: “True”,
“expressionKind”: “Field”,
“expression”: “Microsoft.DocumentDB/databaseAccounts/capacityMode”,
“path”: “properties.capacityMode”,
“expressionValue”: “Serverless”,
“targetValue”: “Provisioned”,
“operator”: “NotEquals”
}
]
},
“policyDefinitionId”: “/subscriptions/02ab71f8-4a53-4bb4-af26-ead3a81c9750/providers/Microsoft.Authorization/policyDefinitions/restrict-database-tiers-lab-shared”,
“policyDefinitionName”: “restrict-database-tiers-lab-shared”,
“policyDefinitionDisplayName”: “Allow only cost-effective database configurations for labs”,
“policyDefinitionVersion”: “1.0.0”,
“policyDefinitionEffect”: “deny”,
“policyAssignmentId”: “/subscriptions/02ab71f8-4a53-4bb4-af26-ead3a81c9750/resourceGroups/azure-lab-rg-KV3AMEMseJB8/providers/Microsoft.Authorization/policyAssignments/database-restriction-azure-lab-rg-KV3AMEMseJB8”,
“policyAssignmentName”: “database-restriction-azure-lab-rg-KV3AMEMseJB8”,
“policyAssignmentDisplayName”: “”,
“policyAssignmentScope”: “/subscriptions/02ab71f8-4a53-4bb4-af26-ead3a81c9750/resourceGroups/azure-lab-rg-KV3AMEMseJB8”,
“policyAssignmentParameters”: {},
“policyExemptionIds”: [],
“policyEnrollmentIds”: []
}
}
]
}
]
}
-
Hello SeanC,
The validation error is happening because the lab environment enforces strict service limits. In this case, the capacity mode you selected is Serverless, but the only supported option in the lab is Provisioned throughput. This restriction is explicitly mentioned in the service limits for the guided lab you’re following.
https://portal.tutorialsdojo.com/courses/azure-playcloud-labs/lessons/azure-playcloud-labs/
To resolve the issue:
- Go back to the Capacity mode setting when creating the Cosmos DB account.
- Switch from Serverless to Provisioned throughput.
- Re-run the validation and deployment. It should succeed once the policy requirement is met.
Let me know if this helps.
Regards,
JR @ Tutorials Dojo
-
-
Hi JR,
Thank you for your guidance. That worked.
For the record, there is no explicit mention that the only supported capacity mode is Provisioned throughput in the Cosmos DB module. I did go back and re-read the introductory module and it’s stated there.
In the Creating an Azure Cosmos DB module, the only appearance of Provisioned throughput in this module is this one screenshot.
For future reference, you may want to reiterate the specifics of what’s allowed in each module to avoid confusion.
-
Hello SeanC,
Thank you for confirming.
You’re absolutely right. While the introductory module does state that only provisioned throughput is supported, the Cosmos DB lab itself doesn’t reiterate that detail beyond the screenshot you mentioned. I appreciate you pointing this out.
For future iterations, we’ll make sure to clearly restate the supported capacity modes within each module to avoid any confusion. Your feedback helps us improve the clarity and consistency of the learning experience.
Thanks again for taking the time to share this insight.
Best regards,
JR @ Tutorials Dojo
-
Log in to reply.