Deploying Azure Stram Analytics(ASA) Input using CLI will not trigger the policy

[babogdan88]

Describe the bug

Trying to create an Azure Stream Analytics(ASA) Input via CLI command.
Related doc: https://learn.microsoft.com/en-us/cli/azure/stream-analytics/input?view=azure-cli-latest

At the same time, there is an Azure Policy that Deny the creation of any resources that are not using Managed Identity authentication mode.

When running the command, if ASA Input has 'ConnectionString' auth mode, the policy should trigger**, but that does not happen**.
If try to deploy the ASA Job using other deployment options, like ARM template or Terraform, the policy works as expected.

Running the command in Debug mode, shows that the authenticationMode is not passed in the "Request body"

CLI command ran in Debug mode:

az stream-analytics input create
--resource-group azure-stream-fawaz
--job-name fawazstream-iotdata
--name blobinput-cli
--properties '{
"type": "Stream",
"datasource": {
"type": "Microsoft.Storage/Blob",
"properties": {
"container": "state",
"pathPattern": "{date}/{time}",
"dateFormat": "yyyy/MM/dd",
"timeFormat": "HH",
"authenticationMode": "ConnectionString",
"storageAccounts": [
{
"accountName": "<STORAGE_ACCOUNT_NAME>",
"accountKey": "<STORAGE_ACCOUNT_KEY>"
}
]
}
},
"serialization": {
"type": "Csv",
"properties": {
"encoding": "UTF8",
"fieldDelimiter": ","
}
}
}

Result:

}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xx/resourcegroups/az_policy_ty474_asa/providers/Microsof…
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '453'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '1524d738-1c8e-11f1-a401-00155d661810'
cli.azure.cli.core.sdk.policies: 'CommandName': 'stream-analytics input create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --job-name --name --properties --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.82.0 (RPM) azsdk-python-core/1.37.0 Python/3.12.9 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.38) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"type": "Stream", "serialization": {"type": "Csv", "properties": {"fieldDelimiter": ",", "encoding": "UTF8"}}, "datasource": {"type": "Microsoft.Storage/Blob", "properties": {"storageAccounts": [{"accountName": "", "accountKey": ""}], "container": "state", "pathPattern": "{date}/{time}", "dateFormat": "yyyy/MM/dd", "timeFormat": "HH"}}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xx/resourcegroups/az_policy_ty474_asa/providers/Microsoft.StreamAnalytics/streamingjobs/asatest/inputs/kp167input?api-version=2020-03-01 HTTP/1.1" 200 1015

Related command

az stream-analytics input create
--resource-group azure-stream-fawaz
--job-name fawazstream-iotdata
--name blobinput-cli
--properties '{
"type": "Stream",
"datasource": {
"type": "Microsoft.Storage/Blob",
"properties": {
"container": "state",
"pathPattern": "{date}/{time}",
"dateFormat": "yyyy/MM/dd",
"timeFormat": "HH",
"authenticationMode": "ConnectionString",
"storageAccounts": [
{
"accountName": "<STORAGE_ACCOUNT_NAME>",
"accountKey": "<STORAGE_ACCOUNT_KEY>"
}
]
}
},
"serialization": {
"type": "Csv",
"properties": {
"encoding": "UTF8",
"fieldDelimiter": ","
}
}
}

Errors

Issue script & Debug output

}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xx/resourcegroups/az_policy_ty474_asa/providers/Microsof…
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '453'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '1524d738-1c8e-11f1-a401-00155d661810'
cli.azure.cli.core.sdk.policies: 'CommandName': 'stream-analytics input create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --job-name --name --properties --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.82.0 (RPM) azsdk-python-core/1.37.0 Python/3.12.9 (Linux-6.1.91.1-microsoft-standard-x86_64-with-glibc2.38) cloud-shell/1.0'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"type": "Stream", "serialization": {"type": "Csv", "properties": {"fieldDelimiter": ",", "encoding": "UTF8"}}, "datasource": {"type": "Microsoft.Storage/Blob", "properties": {"storageAccounts": [{"accountName": "", "accountKey": ""}], "container": "state", "pathPattern": "{date}/{time}", "dateFormat": "yyyy/MM/dd", "timeFormat": "HH"}}}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/xx/resourcegroups/az_policy_ty474_asa/providers/Microsoft.StreamAnalytics/streamingjobs/asatest/inputs/kp167input?api-version=2020-03-01 HTTP/1.1" 200 1015

Expected behavior

The Policy should be triggered, but it didn't. This is a risk for allowing users to create uncompliant resources.

Environment Summary

azure-cli: 2.82.0
core: 2.82.0
telemetry: 1.1.0

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @atpham256.