How to fix Unable to evaluate policy for resource 'Policy evaluation timed out'

Hello Aarushi Saraswat

When configuring Azure OpenAI (Cognitive Services) networking (Firewall & virtual networks → Selected networks and private endpoints), saving IPv4 addresses or VNets fails with:

Unable to evaluate policy for resource 
'/subscriptions/.../providers/Microsoft.CognitiveServices/accounts/OPENAI'.
Policy evaluation timed out

This error occurs when Azure Policy assignments at the subscription, management group, or resource group scope interfere with network configuration changes on the Azure OpenAI resource.

Specifically:

• Azure evaluates all applicable policies during a resource update.
• If one or more policies:
  • Restrict Microsoft.CognitiveServices/accounts
    • Enforce private endpoints only
      • Restrict public network access or IP allow‑lists
        • Are complex / large‑scope (management group level)
        • Then the policy engine may fail to complete evaluation within the allowed time, resulting in a policy evaluation timeout instead of a normal “Denied by policy” message.

This is a policy evaluation failure, not a networking or OpenAI service issue.

To fix this issue, please try below provided workarounds:

1. Identify blocking Azure Policies:

Check both subscription and resource group scopes:

Azure Portal

• Subscription → Policy → Assignments
• Resource Group (WNDRG) → Policy → Assignments

Look for policies that:

• Deny or restrict Microsoft.CognitiveServices/accounts
• Enforce private endpoint only
• Restrict public IP ranges
• Use Deny effect instead of Audit

Policies with a Deny effect are the most common cause of this timeout.

2. Reduce policy impact on the OpenAI resource:

Ask the policy owner to do one of the following (all are valid fixes):

• Exclude the OpenAI resource or its resource group
• Narrow the policy scope (do not apply at management group level)
• Temporarily disable the policy during the networking change
• Change effect from Deny → Audit if enforcement is not required

This allows the networking configuration to be saved successfully.

3. Retry networking configuration:

After policy adjustment:

• Go back to OpenAI resource → Networking
• Select “Selected networks and private endpoints”
• Add VNets and IPv4 addresses
• Save again

The change will succeed once policy evaluation completes within time.

• This error does not mean the OpenAI resource is unsupported.
• It is not caused by invalid IPs or portal UI issues.
• Azure Policy timeouts are common when policies are applied at large scopes (management group / many assignments).

The issue is caused by Azure Policy assignments blocking or delaying policy evaluation when modifying Azure OpenAI networking settings. Adjusting or excluding the relevant Azure Policy allows the firewall/VNet configuration to be saved successfully.

If the provided information is helpful please click "upvote".

If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.

Thanks,

Suchitra.

The error indicates that a policy assigned to the subscription or resource group is blocking or delaying evaluation for the Azure OpenAI (Foundry Tools) resource when changing its networking configuration.

To resolve:

1. Check for Azure Policy assignments blocking the resource
   • In the Azure portal, go to Subscriptions → select the subscription → Policy → Assignments.
   • Also check Resource groups → select WNDRG → Policy → Assignments.
   • Look for policies that:
     • Deny or restrict Microsoft.CognitiveServices/accounts or Foundry Tools resources.
     • Restrict network configuration (for example, only allow certain virtual networks, disallow public IP ranges, or require private endpoints).
2. Confirm the policy effect and scope
   • For any relevant policy, open the assignment and verify:
     • The Scope includes the subscription or WNDRG resource group.
     • The Effect is set to Deny (or similar) rather than **Audit`.
   • If a policy is denying or cannot be evaluated in time, it can cause failures when saving firewall and virtual network settings.
3. Work with the policy administrator
   • If a blocking policy is found, request that the policy owner:
     • Modify the policy definition/parameters so that the desired OpenAI networking configuration is allowed, or
     • Narrow the assignment scope so it does not apply to the OpenAI resource, or
     • Temporarily remove or disable the assignment while the configuration change is made.
4. Retry the networking change after policy adjustment
   • Once the policy has been updated or removed:
     • Go back to the OpenAI resource → Networking.
     • Ensure Selected Networks and Private Endpoints is chosen only if the policy allows it.
     • Re-add the required virtual networks and IP address ranges.
     • Save the configuration again.
5. If the resource itself is disallowed by policy
   • If there is a policy like “Not allowed resource types” or similar that disallows Microsoft.CognitiveServices/accounts, that policy must be changed by the administrator; otherwise, any configuration or creation attempt will continue to fail.

If the environment is governed by central IT or a security team, contact them with the exact error and the resource ID so they can adjust the Azure Policy configuration.

References:

• Troubleshoot your Azure Stack Edge ordering issues
• Control AI model deployment with built-in policies in Microsoft Foundry portal (classic)
• Configure Foundry Tools virtual networks
• Create and deploy an Azure OpenAI in Azure AI Foundry Models resource (web-portal)