AZURE

OperationNotAllowed - Operation Not Allowed: State or Policy Violation

Something's blocking the operation—a resource lock (CanNotDelete or ReadOnly), an invalid provisioning state ("Deleting" or "Failed"), or an Azure Policy with Deny effect. This 409/403 client-side error means ARM evaluated constraints and found a blocker. Locks override RBAC permissions, so even Contributor role can't delete resources with CanNotDelete locks. Provisioning states like "Deleting" or "Failed" block most operations until state transitions complete. Azure Policy Deny assignments at subscription/resource group scopes block operations regardless of RBAC. Common in VM management, AKS cluster operations, Azure SQL database changes, and App Service deployments.

#Common Causes

  • Resource Lock: The resource has a CanNotDelete or ReadOnly lock that prevents delete/modify operations. Locks are applied at subscription, resource group, or resource scope and override RBAC permissions—even if you have Contributor role, a lock can block operations. CanNotDelete blocks deletes, ReadOnly blocks all modifications.
  • Invalid Provisioning State: The resource's provisioningState is "Deleting" or "Failed". Most operations require the resource to be in "Succeeded" state. For "Deleting", wait for deletion to complete. For "Failed", you may need to delete and recreate the resource (behavior varies by type).
  • Azure Policy Denial: A policy assignment with Deny effect at the subscription, resource group, or management group scope blocks the resource creation/modification. Policy evaluation happens after RBAC, so even with proper permissions, policies can block operations.

Solutions

  1. 1Step 1: Diagnose - Check for resource locks: az lock list --scope <resource-id> --query "[].{name:name, level:level, type:type}" --output table
  2. 2Step 2: Diagnose - Inspect resource provisioning state: az resource show --ids <resource-id> --query "properties.provisioningState" --output table
  3. 3Step 3: Diagnose - Check Azure Policy assignments: az policy assignment list --scope <scope> --query "[?enforcementMode=='Default'].{name:name, policyDefinitionId:policyDefinitionId}" --output table
  4. 4Step 4: Fix - Remove locks if you have permissions: az lock delete --ids <resource-id> --name <lock-name>
  5. 5Step 5: Fix - Wait for resource state transition if provisioningState is "Deleting" or "Failed".
  6. 6Step 6: Fix - Modify or remove the blocking policy if you have permissions.
  7. 7Step 7: Verify - Retry your operation. It should succeed instead of returning OperationNotAllowed.

</>Code Examples

Resource Lock and Policy Diagnosis
1# This script helps diagnose OperationNotAllowed errors by checking locks and policies
2
3# Step 1: Example resource ID (replace with your actual resource ID)
4RESOURCE_ID="/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm"
5echo "Checking resource: $RESOURCE_ID"
6
7# Step 2: Check for resource locks
8echo "Checking for resource locks..."
9az lock list --scope $RESOURCE_ID --query "[].{name:name, level:level, type:type, notes:notes}" --output table
10
11# Step 3: Check for locks at resource group scope
12RESOURCE_GROUP_ID=$(echo $RESOURCE_ID | sed 's|/providers/.*||')
13echo "Checking for locks at resource group scope: $RESOURCE_GROUP_ID"
14az lock list --scope $RESOURCE_GROUP_ID --query "[].{name:name, level:level, type:type}" --output table
15
16# Step 4: Check for locks at subscription scope
17SUBSCRIPTION_ID=$(echo $RESOURCE_ID | sed 's|/subscriptions/\([^/]*\).*|\1|')
18echo "Checking for locks at subscription scope: /subscriptions/$SUBSCRIPTION_ID"
19az lock list --scope /subscriptions/$SUBSCRIPTION_ID --query "[].{name:name, level:level, type:type}" --output table
20
21# Step 5: Check resource provisioning state
22echo "Checking resource provisioning state..."
23PROVISIONING_STATE=$(az resource show --ids $RESOURCE_ID --query "properties.provisioningState" -o tsv 2>/dev/null)
24if [ ! -z "$PROVISIONING_STATE" ]; then
25  echo "Provisioning state: $PROVISIONING_STATE"
26  if [ "$PROVISIONING_STATE" == "Deleting" ]; then
27    echo "WARNING: Resource is being deleted. Wait for deletion to complete."
28  elif [ "$PROVISIONING_STATE" == "Failed" ]; then
29    echo "WARNING: Resource is in Failed state. May need to delete and recreate."
30  fi
31else
32  echo "Could not retrieve provisioning state"
33fi
34
35# Step 6: Check Azure Policy assignments at subscription scope
36echo "Checking Azure Policy assignments at subscription scope..."
37az policy assignment list \
38  --scope /subscriptions/$SUBSCRIPTION_ID \
39  --query "[?enforcementMode=='Default'].{name:name, policyDefinitionId:policyDefinitionId, effect:policy.rule.effect}" \
40  --output table
41
42# Step 7: Check Azure Policy assignments at resource group scope
43echo "Checking Azure Policy assignments at resource group scope..."
44az policy assignment list \
45  --scope $RESOURCE_GROUP_ID \
46  --query "[?enforcementMode=='Default'].{name:name, policyDefinitionId:policyDefinitionId, effect:policy.rule.effect}" \
47  --output table
48
49# Step 8: Remove lock if found (requires appropriate permissions)
50# LOCK_NAME="my-lock"
51# echo "Removing lock: $LOCK_NAME"
52# az lock delete --ids $RESOURCE_ID --name $LOCK_NAME
53
54# Step 9: Instructions for policy management
55echo ""
56echo "To modify or remove blocking policies:"
57echo "  1. Identify the policy from the list above"
58echo "  2. Use: az policy assignment delete --name <policy-name> --scope <scope>"
59echo "  3. Or modify the policy assignment to change the effect"

Related Errors

ForbiddenConflictError

Provider Information

This error code is specific to AZURE services. For more information, refer to the official AZURE documentation.

OperationNotAllowed - Operation Not Allowed: State or Policy Violation | AZURE Error Reference | Error Code Reference