A new Azure policy was recently put in place which enforces that no Public Blob Access is allowed, so we had to manually update a bunch of Azure storage accounts, including the one we'd been using for our implementation of the Azure VM Agents plugin. However, since the policy was put in place, the plugin is unable to create VMs, providing the following error message:

Mar 18, 2021 3:58:35 PM SEVERE com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate createDeploymentAzureVMManagementServiceDelegate: deployment: Unable to deploy com.microsoft.azure.CloudException: Status code 400, {"error":{"code":"InvalidTemplateDeployment","message":"The template deployment failed because of policy violation. Please see details for more information.","details":[{"code":"RequestDisallowedByPolicy","target":"cmjenkinscloudsa","message":"Resource 'cmjenkinscloudsa' was disallowed by policy. Reasons: 'ISRM Policy Violation | Public exposure with anynamous access requires security exception. Please contact your BISO for further guidance.'. See error details for policy resource IDs.","additionalInfo":[{"type":"PolicyViolation","info":{"policyDefinitionDisplayName":"DENY - Storage Account Public Access","evaluationDetails":

Unknown macro: {"evaluatedExpressions"}

,{"result":"True","expressionKind":"Field","expression":"id","path":"id","expressionValue":"/subscriptions/a5280073-bceb-4175-9bfd-c51134647c8b/resourceGroups/cmjenkinscloud/providers/Microsoft.Storage/storageAccounts/cmjenkinscloudsa","targetValue":"/resourceGroups/databricks-rg-","operator":"NotContains"},{"result":"False","expressionKind":"Field","expression":"Microsoft.Storage/storageAccounts/allowBlobPublicAccess","path":"properties.allowBlobPublicAccess","targetValue":"false","operator":"Equals"}],"reason":"ISRM Policy Violation | Public exposure with anynamous access requires security exception. Please contact your BISO for further guidance."},"policyDefinitionId":"/providers/Microsoft.Management/managementGroups/da67ef1b-ca59-4db2-9a8c-aa8d94617a16/providers/Microsoft.Authorization/policyDefinitions/87f89257-04b6-4ce5-96e5-104feeae78e8","policyDefinitionName":"87f89257-04b6-4ce5-96e5-104feeae78e8","policyDefinitionEffect":"deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/da67ef1b-ca59-4db2-9a8c-aa8d94617a16/providers/Microsoft.Authorization/policyAssignments/53068ff566354cf8b96e3dbe","policyAssignmentName":"53068ff566354cf8b96e3dbe","policyAssignmentDisplayName":"DENY - Storage Account Public Access","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/da67ef1b-ca59-4db2-9a8c-aa8d94617a16","policyAssignmentParameters":{"effect":{"value":"deny"}}}}]}]}}: The template deployment failed because of policy violation. Please see details for more information. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:122) at com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder.java:56) at com.microsoft.azure.management.resources.implementation.DeploymentsInner.beginCreateOrUpdateDelegate(DeploymentsInner.java:540) at com.microsoft.azure.management.resources.implementation.DeploymentsInner.access$200(DeploymentsInner.java:46) at com.microsoft.azure.management.resources.implementation.DeploymentsInner$14.call(DeploymentsInner.java:526) at com.microsoft.azure.management.resources.implementation.DeploymentsInner$14.call(DeploymentsInner.java:522) at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:69) at retrofit2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter.java:120) at retrofit2.adapter.rxjava.CallArbiter.emitResponse(CallArbiter.java:102) at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:46) at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24) at rx.Observable.unsafeSubscribe(Observable.java:10327) at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) at rx.Observable.subscribe(Observable.java:10423) at rx.Observable.subscribe(Observable.java:10390) at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:443) at rx.observables.BlockingObservable.single(BlockingObservable.java:340) at com.microsoft.azure.management.resources.implementation.DeploymentsInner.beginCreateOrUpdate(DeploymentsInner.java:457) at com.microsoft.azure.management.resources.implementation.DeploymentImpl.beginCreate(DeploymentImpl.java:308) at com.microsoft.azure.management.resources.implementation.DeploymentImpl.beginCreate(DeploymentImpl.java:40) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:553) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:174) at com.microsoft.azure.vmagent.AzureVMAgentTemplate.provisionAgents(AzureVMAgentTemplate.java:1188) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:794) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:790) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Our config is using an existing resource group and existing storage account (with 'Allow public blob access' disabled). I don't understand why it would be trying to make any changes to the existing storage account, especially to that flag. I can see the attempt in Azure's event log

Note: I can't find any instance of that flag being set or changed in the code, though I admit I've had a lot of trouble combing through it in general.

I get a different error if I have the plugin create a new Storage Account

Mar 18, 2021 5:19:12 PM SEVERE com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate createDeploymentAzureVMManagementServiceDelegate: deployment: Unable to deploy com.microsoft.azure.vmagent.exceptions.AzureCloudException: Failed to create storage account with account name jna0s7doorcelmq2o9fo0r6a, location eastus, resourceGroupName cmjenkinscloud: Resource 'jna0s7doorcelmq2o9fo0r6a' was disallowed by policy. Reasons: 'ISRM Policy Violation | Public exposure with anynamous access requires security exception. Please contact your BISO for further guidance.'. See error details for policy resource IDs. at com.microsoft.azure.vmagent.exceptions.AzureCloudException.create(AzureCloudException.java:49) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createStorageAccount(AzureVMManagementServiceDelegate.java:2538) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:229) at com.microsoft.azure.vmagent.AzureVMManagementServiceDelegate.createDeployment(AzureVMManagementServiceDelegate.java:174) at com.microsoft.azure.vmagent.AzureVMAgentTemplate.provisionAgents(AzureVMAgentTemplate.java:1188) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:794) at com.microsoft.azure.vmagent.AzureVMCloud$1.call(AzureVMCloud.java:790) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)