![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 48%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 97%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello @Ayiba Chinwe
When a policy with the DeployIfNotExists effect is assigned at the tenant root management group, Azure does not support remediation tasks at that scope. Because of this platform limitation, the Remediation tab correctly shows that the policy does not support remediation, and the checkbox to create remediation tasks is not available. However, when the same policy is assigned at a subscription or lower management group, the remediation option becomes available and works as expected.
This happens due to below following reasons:
- DeployIfNotExists remediation tasks run ARM deployments to bring existing non‑compliant resources into compliance.
- ARM deployments require a subscription or resource group deployment context.
- The tenant root management group does not provide a deployment context, so remediation tasks cannot be executed there.
- As a result, Azure Policy disables remediation tasks at the tenant root management group, even though the policy itself can still be assigned at that level.
Remediation tasks are used to remediate existing resources and rely on ARM deployments, which explains why remediation is only supported at subscription or lower scopes and not at tenant root scope.
Official documentation:
- DeployIfNotExists effect overview: https://learn.microsoft.com/azure/governance/policy/concepts/effect-deploy-if-not-exists
- Remediation behavior for existing resources: https://learn.microsoft.com/azure/governance/policy/how-to/remediate-resources
Even though remediation tasks are not supported at the tenant root management group, the DeployIfNotExists effect itself still works for new resources. This means:
- New resources created under child management groups or subscriptions are automatically remediated through policy inheritance.
- Existing resources cannot be remediated from the tenant root management group and require a lower-scope assignment.
As a workaround please have a look into below approaches:
- Assign the policy or initiative at the tenant root management group for centralized governance and inheritance.
- Assign the same policy (or initiative) at child management groups or subscriptions where remediation of existing resources is required.
- Run remediation tasks only at those supported scopes.
This approach is consistent with Microsoft guidance and reference architectures (such as Azure Landing Zone), which also perform remediation at subscription or child management group levels, not at the tenant root.
Reference: https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/HowTo/deploy/Remediate-Policies/
So, the DeployIfNotExists effect can be assigned at the tenant root management group, but remediation tasks are intentionally not supported at that scope because ARM deployments require a subscription or resource group context. Assignments at lower scopes are required to remediate existing resources.
Thanks,
Suchitra.
