![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 64%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Rangarajan Subramani
The error you are seeing: RequestDisallowedByPolicy: This configuration is not compliant. Refer to https://aka.ms/Azure_AISearch_AuthN_Use_Managed_Service_Identity
is caused by an Azure Policy with a Deny effect that enforces Managed Identity–based authentication for Azure AI Search.
Azure AI Search does not support enabling a System‑assigned Managed Identity at creation time. Managed identity is configured only after the search service is successfully created, not during creation. After you create a search service, configure it to use a system-assigned or user-assigned managed identity.
Because of this design:
- Azure Policy evaluates the creation request only
- A Deny policy blocks the deployment before the resource exists
- The required managed identity cannot yet be present, so the request is denied
This is why the System Managed Identity option is not shown during creation—it is expected to be configured post‑deployment.
An Azure Policy with Deny effect is enforcing Managed Identity for Azure AI Search at creation time, but Azure AI Search supports enabling Managed Identity only after the service is created, leading to deployment failure.
This is a policy enforcement mismatch, not a service limitation or portal issue.
As a resolution the policy must be changed to not block creation of Azure AI Search.
Microsoft‑supported approaches are:
- Use
AuditorDeployIfNotExistsinstead ofDeny, or - Add a policy exemption for resource type
Microsoft.Search/searchServices
This allows the service to be created first, after which Managed Identity can be enabled.
So, Azure AI Search supports Managed Identity, but it can only be enabled after the service is created. If an Azure Policy with Deny effect requires Managed Identity at creation time, the deployment fails by design. The policy must be changed to Audit/DeployIfNotExists or an exemption should be applied for Microsoft.Search/searchServices.
References: https://learn.microsoft.com/en-us/azure/search/search-manage
Azure Policy definitions deny effect: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deny
Using Bicep to set a system‑assigned managed identity is supported, but to resolve the error when an Azure Policy uses a Deny effect. The policy blocks the request before the search service can be created, and Azure AI Search completes managed identity and authentication configuration only after creation. The policy must be changed to Audit/DeployIfNotExists or an exemption must be applied.
Thanks,
Suchitra.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)