0

I am trying to disable an Azure alert rule via Powershell, which will eventually go into a runbook, scheduled every week.

Connect-AzAccount
Set-AzContext -Subscription "<subscription-id>"

# Specify the resource group and name of the alert rule to disable
$resourceGroupName = "MyResourceGroup"
$ruleName = "MyAlertRuleName"

# Update the alert rule
Update-AzScheduledQueryRule -ResourceGroupName $resourceGroupName -Name $ruleName -Enabled

According to Microsoft documentation, -Enabled works as a switch parameter. Which I would imagine would switch from enabled to disabled, and vice versa depending on the alert rule's current state

This works going from Disabled > Enabled. It does not however work going from Enabled > Disabled, it just stays at its Enabled state

I then try using a different module script

# Update the alert rule
Update-AzActivityLogAlert -ResourceGroupName $resourceGroupName -Name $ruleName -Enabled 0

But I get the error

Resource 'MyAlertRuleName' was disallowed by policy. Reasons: 'Sorry your object cannot live here'. See error details for policy resource IDs.

Am I doing something wrong? The account I'm using to connect to Azure is my own, which can disable/enable alert rules freely

Catcha24
  • 3
  • 3
  • Do you know if exists any Azure Policy to block you? – Victor Silva Apr 13 '23 at 13:48
  • Is there an easy way to check? I don't have the highest privileges in my Azure tenant so may be restricted. I would imagine this would work if I'm executing it using my account – Catcha24 Apr 13 '23 at 13:53
  • 1
    Yes, go to the Azure portal and search Policy, select Assignments (from the left side menu), and explore all the policies shown, try to edit one by one and use the "Non-compliance messages" to compare with the error message "Sorry your object cannot live here". – Victor Silva Apr 13 '23 at 18:04

1 Answers1

0

After reproducing from my end, I could get the desired results using the same script that you have mentioned.

enter image description here

Results:

enter image description here

Resource 'MyAlertRuleName' was disallowed by policy. Reasons: 'Sorry your object cannot live here'. See error details for policy resource IDs.

Looking at your error, as @VictorSilva has mentioned, your rule has policy enabled which is blocking you from disabling the alert. You can either navigate to the mentioned location from comments or contact your administrator for resolving it.

SwethaKandikonda
  • 7,513
  • 2
  • 4
  • 18
  • Hello, I realised you used an alert that was Signal Type 'Activity log'. I created a quick test alert and it also works for me as well, I am able to disable the alert. The alert I am trying to disable though is Signal Type 'Log Search', realising I need to use specific script depending on the type of alert. I believe to do this, I need to use 'Update-AzScheduledQueryRule' which works with 'Log search' alerts, but from my original post, I'm able to enable but not disable if you're getting the same thing? – Catcha24 Apr 14 '23 at 11:00