AZ500 Lab Issue – ARM Template Deployment Blocked by Policy + Azure Resource Explorer

Cert Prep
, ,
1

Hey everyone,

I’ve been grinding through the AZ-500 labs and got stuck on two tasks. Posting here hoping someone else has run into the same thing.

:red_circle: Task 1 – Deploy an Azure VM Using a Custom ARM Template

Deployment failed at the validation stage with this error:
“Resource ‘SimpleWinVM’ was disallowed by policy.”

Settings I used:

  • Subscription: Challenge Labs 09
  • Resource Group: AZ900RGlod47832474
  • Region: East US 2
  • Admin Username: AZ900-Admin
  • DNS Label Prefix: myvm47832474
  • OS: Windows Server 2019-Datacenter
  • VM Size: Standard_D2s_v3

Everything looks correct to me. My guess is there’s an Azure Policy assigned at the subscription level blocking the VM deployment, but since it’s a managed lab environment I can’t modify or exempt the policy myself. Anyone dealt with this before?

:red_circle: Task 2 – Locating destinationPortRange in Azure Resource Explorer

This task asked me to find the destinationPortRange property under Resources for the default-NSG using Azure Resource Explorer. The NSG shows up fine, but I couldn’t find that specific property in the structure — the path didn’t match what the lab was expecting.

Is there a specific navigation path I should be following inside Resource Explorer to get there?

Any help would be appreciated. Thanks!

2

Hey! I hit almost the exact same issues a few weeks ago - you’re not alone on this.

For Task 1 - the policy block is unfortunately a known problem with certain lab subscription environments. The subscription has a built-in Azure Policy that restricts specific VM SKUs or resource deployments, and since it’s a sandboxed lab you don’t have the rights to create an exemption. The best workaround I found was to try a different lab session/reset if your lab platform allows it, sometimes a fresh environment comes with a cleaner policy set. If you’re on a platform like Skillable or similar, raise it with their support it’s a lab configuration issue, not something you did wrong.

For Task 2 - in Azure Resource Explorer the path you want is:
Subscriptions → [your subscription] → resourceGroups → [your RG] → providers → Microsoft.Network → networkSecurityGroups → default-NSG → securityRules

Expand any of the inbound rules there and you’ll find destinationPortRange under the properties object. If the default-NSG isn’t populated yet (because the VM never deployed due to Task 1), that’s likely why you couldn’t find it the NSG rules only get created after a successful deployment.

[redacted]

Good luck, you’ve got this!

1 Like