Azure Policy to Auto Associate Resources to NSP

Question

Azure Policy to Auto Associate Resources to NSP

Tapasya Sharma 0 Microsoft Employee

I have a created an Azure Policy to Auto Associate Resources to NSP in Enforced mode once any new resources are created in my subscription. However, upon assigning this policy to my subscription all my resources are non-compliant, and new resources I create are not compliant by the policy either by auto-associating. I created a remediation task with and without 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance. However, I continue to get this error saying there is no evaluation from the policy. Could you please help identify the issue here and correct it to auto associate any resources in enforced mode?

Expected behaviour:

Is to auto associate any new resources created to PPE NSP in enforced mode and pass compliance with existing resources by remediating.

Existing behaviour:

Unable to auto associate any new resources created
Unable to pass compliance even though existing resource association to NSP exists
Remediation tasks fail even 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'
NoPolicyEvaluationResult deployment error received

Policy definition:

  <PII Removed>

Deployment error:

User's image

Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-03-03T21:24:42.07+00:00

Hello @Tapasya Sharma I hope the details shared above helped in addressing your concern. If the suggested resolution resolved the issue, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future. If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.

Thanks, Suchitra.

1 answer

Your answer

Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-03-03T21:24:42.07+00:00

Hello @Tapasya Sharma I hope the details shared above helped in addressing your concern. If the suggested resolution resolved the issue, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future. If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.

Thanks, Suchitra.

Answer 1

Suchitra Suregaunkar 11,395 Microsoft External Staff Moderator

Hello Tapasya Sharma

Thanks for sharing the screenshot.

Error code: NoPolicyEvaluationResult

This error occurs when you try to run Policy Remediation, but Azure Policy has no current compliance evaluation data for the targeted resources.

Remediation can only run on resources that already have a compliance state. If no evaluation result exists, remediation fails.

One or more of the following is true for the error that you got:

1. Policy was recently created, updated, or reassigned

Compliance scan hasn’t run yet.

2. Policy exclusions or scope were changed

Old compliance data became invalid.

Resources were created before the policy existed

They were never evaluated.

Compliance data was cleared or expired

Happens after policy definition/assignment changes.

As a resolution you must force a policy compliance re‑evaluation first, then rerun remediation.

Option 1: Re‑evaluate compliance (Portal – Recommended)

Go to Azure Portal
Navigate to Azure Policy
Select Compliance
Click Re-evaluate compliance
Wait until the policy shows a Non-compliant or Compliant state
Retry Remediation

Option 2: Re‑evaluate compliance using CLI command,

az policy state trigger-scan

Then rerun the remediation once compliance data appears.

Option 3: Delete and recreate remediation task

If re‑evaluation does not help:

Delete the existing remediation task
Ensure the policy assignment still exists and scope is correct
Trigger Re-evaluate compliance
Create a new remediation task

Remediation cannot create compliance data, Compliance must exist before remediation, Compliance evaluation is not instantaneous. Any change to policy definition, scope, or exclusions invalidates prior results.

Thanks,
Suchitra.

Tapasya Sharma 0 Reputation points Microsoft Employee

2026-03-04T18:19:00.82+00:00

Hi @Suchitra Suregaunkar so I had already tried re-evaluating compliance and creating a new remediation task however that did not work as mentioned in my initial post too. Please let me know how can I debug it further, thanks!
Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-03-04T19:04:21.03+00:00
Hello @Tapasya Sharma @Tapasya Sharma

The issue is not with remediation tasks or ResourceDiscoveryMode. The root cause is an incorrect existenceCondition implementation in the deployIfNotExists policy.

Because the existenceCondition never evaluates to true, Azure Policy:

Marks all resources as non‑compliant

Never finds a valid policy evaluation result

Causes remediation tasks to fail with NoPolicyEvaluationResult

Does not auto‑associate new resources to the NSP

This behavior is expected when existenceCondition does not correctly match the related resource.

Your policy checks this condition:

{ "field": "name", "equals": "[concat('nsp-OrganizationMasterNSP-PPE/', field('name'), '_association')]" }

This is invalid for deployIfNotExists because:

existenceCondition is evaluated against the related resource

field('name') inside existenceCondition refers to the resourceAssociation, not the original Storage / Key Vault / Cosmos DB resource

NSP resource association names are system‑generated and not guaranteed to match this constructed value

As a result, Azure Policy never detects an existing association, even when one exists.

Supported Way to Validate NSP Association:

deployIfNotExists should validate properties of the related resource, not its constructed name.

For Network Security Perimeter associations, Microsoft exposes policy aliases that must be used.

Correct Existence Check which is supported:

Validate:

The association points to the evaluated resource

The access mode is Enforced

"existenceCondition": { "allOf": [ { "field": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations/privateLinkResource.id", "equals": "[field('id')]" }, { "field": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations/accessMode", "equals": "Enforced" } ] }

Update the policy to use property‑based existenceCondition

Re‑assign the policy (or trigger re‑evaluation)

Run remediation for existing resources

Validate via Policy Compliance → Compliance Details

Reference: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists

Azure Policy aliases for NSP resource associations confirms supported fields like privateLinkResource.id and accessMode:

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics#aliases

https://policyalias.mats.codes/Microsoft.Network/networkSecurityPerimeters-resourceAssociations/

Network Security Perimeter – Resource Associations schema:

https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networksecurityperimeters/resourceassociations?pivots=deployment-language-bicep

Thanks,
Suchitra.
Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-03-05T20:02:48.34+00:00

Hello @Tapasya Sharma @Tapasya Sharma

Kindly let us know if the solution provided worked for you.

If you need any further assistance, please feel free to reach out.

If you found the comment helpful, please consider clicking "Upvote it".

Thanks,
Suchitra.
Bharath Y P 7,240 Reputation points Microsoft External Staff Moderator

2026-03-06T14:23:08.06+00:00
Hello Tapasya Sharma, If you updated the policy definition, reassigned it, and created a new resource but it still doesn’t work, the next step is to confirm whether Azure Policy is evaluating the resource at all. The NoPolicyEvaluationResult error almost always means the resource never matched the policy rule, so Azure Policy never produced a compliance record.

There may be some structural changes required, which could be the reason you’re seeing the NoPolicyEvaluationResult error and why new resources aren’t being auto‑associated.

Policy Mode change:

Your policy uses: "mode": "Indexed"

Indexed mode only evaluates resources that support tags and location indexing, and many network or child resources used by NSP policies are not evaluated in this mode.

Because of this Azure Policy never evaluates your rule, no compliance record is generated and Remediation shows NoPolicyEvaluationResult.

You can modify to: "mode": "All" and then reassign the policy.

Modify existenceCondition:

Your existence condition checks the name:

{ "field": "name", "equals": "[concat('nsp-OrganizationMasterNSP-PPE/', field('name'), '_association')]" }

This is not reliable for DeployIfNotExists because Azure Policy evaluates existence by resource properties, not by constructed names. If the name does not match exactly, policy thinks the resource does not exist, but at the same time evaluation may fail.

Also, checking:

{ "field": "type", "equals": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations" }

It seems inside existenceCondition is unnecessary.

Instead check the associated resource id:

"existenceCondition": { "field": "Microsoft.Network/networkSecurityPerimeters/resourceAssociations/privateLinkResource.id", "equals": "[field('id')]" }

This confirms the resource is already associated to the NSP.

Missing existenceScope: Because the association resource is in a different resource group (MOR-PME-PPE), Azure Policy may not find it during evaluation.

Your policy currently only has:

"resourceGroupName": "MOR-PME-PPE"

But DeployIfNotExists also needs existenceScope. To fix this you can add existenceScope

"existenceScope": "resourceGroup"

Policy Might Not Re-Evaluate New Resources Immediately. Even after fixing the policy, the policy evaluation runs every ~30 minutes. DeployIfNotExists runs after evaluation

You can trigger it manually and Wait 10–15 minutes.

az policy state trigger-scan --subscription <subscription-id>

Hope this helps! Thanks
Tapasya Sharma 0 Reputation points Microsoft Employee

2026-03-10T02:50:14.6733333+00:00

Hi @Suchitra Suregaunkar @Bharath Y P Thank you for the suggestions. I incorporated them and created a new JSON which has been shared with Suchitra over chat. However, I received the same error code after modifying the JSON. Could you please help identify the issue? Thank you.
Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-03-11T04:31:41.8733333+00:00

Hello Tapasya Sharma, Sure, we are looking this issue and will keep you posted updates.
Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator

2026-03-25T01:47:42.96+00:00
Hello @Tapasya Sharma,

We have an update that the main issue looks to be the existenceCondition, especially the complex profile.id check using field('type'), which can evaluate in the wrong context and keep everything non‑compliant.

Can you try the below action plan:

First simplify the existenceCondition to only check:

privateLinkResource.id == resource id

and then add this for the next check accessMode == Enforced

Validate existenceScope and explicitly set the NSP resource group to verify first:

The NSP association resources are created in the NSP’s RG, not the target resource’s RG.

If existenceScope is resourceGroup but resourceGroupName is not specified, policy looks in the wrong RG and never finds the association.

Update the policy to set resourceGroupName to the RG that hosts the NSP and its profiles so both the existence check and remediation run in the correct place.

Trigger a policy re‑evaluation scan, then rerun remediation.

Confirm resources flip to Compliant once the association exists.

After validation, re‑introduce the profile check using a parameterized profileId (avoid field('type') - based logic) to start with and try keeping it straight forward and simple and then test it one-by-one once each customization starts working. Otherwise we don't know where it's failing.

Please try to check above recommendation and let me know if you have any questions.

Thanks,

Suchitra.

Share via

Azure Policy to Auto Associate Resources to NSP

1 answer

Your answer