Share via

ADF when publishing, the arm templates generation failed with Corporate Public network Disabled errror- how to resolve?

Nguyen, Hoa 421 Reputation points
2026-05-13T18:09:13.11+00:00
  1. ADF settings show networking with Public Endpoint Public endpoint at datafactory level

ADF is using Managed Virtual networks with private endpoints to reach out of other AZ resourcesManaged virtual networks

  1. When publishing the arm templates generation failed with this error:
    Generating ARM templates {"error":{"code":"RequestDisallowedByPolicy","target":"xxx-df-prod-ETL","message":"Resource 'xxx-df-prod-ETL' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"XCompany - Public Network Disabled","id":"/providers/Microsoft.Management/managementGroups/0b5ac31e-e17a-4021-9d04-550f86320765/providers/Microsoft.Authorization/policyAssignments/PublicNetwork-GlobalMG"},"policyDefinition":{"name":"Public network access on Azure Data Factory should be disabled","id":"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6","version":"1.0.0"},"policySetDefinition":{"name":"Cencora - Public Network Disabled","id":"/providers/Microsoft.Management/managementGroups/0b5ac31e-e17a-4021-9d04-550f86320765/providers/Microsoft.Authorization/policySetDefinitions/Cencora - Public Network Disabled","version":"1.0.0"}}]'.","additionalInfo":[{"type":"PolicyViolation","info":{"evaluationDetails":{"evaluatedExpressions":  
    How to resolve when we cannot override corporate policy? The arm template generation failure implies the automated triggers will not pick up the newest version of the pipelines so our changes do not get promoted. Thanks!
Azure Data Factory
Azure Data Factory

An Azure service for ingesting, preparing, and transforming data at scale.

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SAI JAGADEESH KUDIPUDI 3,115 Reputation points Microsoft External Staff Moderator
    2026-05-13T19:46:22.81+00:00

    Hi Nguyen, Hoa

    The error message:

    “RequestDisallowedByPolicy – Public network access on Azure Data Factory should be disabled”

    indicates that an Azure Policy in your environment is blocking the publish/deployment operation because the Data Factory resource is currently configured with:

    publicNetworkAccess = Enabled

    During the publish process, Azure validates the generated ARM template against organizational policies. If the template or existing factory configuration contains public network access enabled, the deployment is denied by policy.

    To resolve this issue, please check the following:

    Go to Azure Data Factory → Networking

    Set Public network access to Disabled

    Save the changes and retry the publish operation

    If your organization requires private-only access to ADF Studio or the management plane, you should also configure a Private Endpoint and corresponding Private DNS integration.

    Microsoft documentation:

    Azure Data Factory Private Link
    https://learn.microsoft.com/azure/data-factory/data-factory-private-link

    Troubleshoot CI/CD and publish issues in ADF
    https://learn.microsoft.com/azure/data-factory/ci-cd-github-troubleshoot-guide

    Additionally, if you are using CI/CD pipelines or custom ARM deployments, verify that your ARM template or parameter files are not explicitly setting:

    "publicNetworkAccess": "Enabled"

    Otherwise, Azure Policy will continue blocking the deployment even after updating the portal configuration.

    Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2026-05-13T18:09:36.58+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The failure is caused by an Azure Policy assignment that explicitly blocks Data Factory resources with public network access enabled. The error RequestDisallowedByPolicy means the ARM deployment (triggered by ADF publish) is trying to deploy or update the factory in a way that violates this policy, so the deployment is rejected and the publish fails.

    From the policy description in the error:

    Public network access on Azure Data Factory should be disabled

    Resolution options are limited because the policy cannot be overridden at the subscription/management group level by the project team. The deployment must comply with the policy:

    1. Ensure the factory is configured with public network access disabled
      • The policy requires public network access to be disabled. The factory’s networking configuration must reflect this (for example, using only private endpoints / managed virtual network).
      • Any ARM template or tag that sets or implies publicNetworkAccess = Enabled will be blocked.
    2. Avoid enabling public network access via tags or ARM
      • In some troubleshooting scenarios, public network access is enabled by setting a tag in the factory (for example, using the Factories - Update REST API with: 
             { "tags": { "publicNetworkAccess":"Enabled" } }
        ).
      • In an environment where a corporate policy requires public network access to be disabled, this approach will fail with RequestDisallowedByPolicy and must not be used.
    3. Align CI/CD templates with policy
      • Review the generated ARMTemplateForFactory.json and any parameter files to ensure they do not configure public network access or other settings that violate the policy.
      • If the template currently sets public access (for example through tags or networking properties), remove or change those settings so that the resulting factory configuration keeps public access disabled.
    4. Work with the policy owner if a temporary exception is required
      • If publishing absolutely requires public network access (for example, to register a self-hosted IR as described in the troubleshooting guidance), then the only compliant option is for the policy owner (central IT / security) to adjust or temporarily exempt the factory from that policy. Without such a change, any deployment that enables public access will continue to be blocked.

    In summary, to restore successful ARM template generation and publishing, the Data Factory deployment must be modified so that it does not enable public network access, thereby complying with the Public network access on Azure Data Factory should be disabled policy and avoiding RequestDisallowedByPolicy during publish.

    References:

    Was this answer helpful?

    1 person found this answer helpful.
  3. Nguyen, Hoa 421 Reputation points
    2026-05-15T14:29:44.4066667+00:00

    @SAI JAGADEESH KUDIPUDI Your answer is accepted and most helpful.
    We asked for a temporary exemption to buy us some time to plan and prep for the private endpoints.
    I do not see a place where I can mark your answer as accepted. Thank you!

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.