How Can I add A record PriateDNS zones, for VM that is created in same DNZ zone

Question

How Can I add A record PriateDNS zones, for VM that is created in same DNZ zone

demo user 20

Creation of Azure Policy creation to deploy private DNS records for virtual machines in private DNS zones

Write a policy that automatically deploys a private DNS record for virtual machines (effect DeployIfNotExists)
The created DNS record will be an A record that points to the VM’s private IP address

Is this really possible
We dont want to use Auto Registration feature available in Azure and only want to do Azure Policy way

Zafer KAYA 335 Reputation points MVP

2025-10-09T08:37:16.4733333+00:00
Yes — it’s technically possible to create an Azure Policy (DeployIfNotExists) that deploys an A record in a Private DNS Zone for each VM after it’s created, but with limitations:

The policy must use a managed identity that has permissions to write to the Private DNS Zone.

You must use a DeployIfNotExists effect that triggers an ARM (or Bicep) template to create the record.

The policy will only run after the VM exists, so it’s not truly instant (there’s a short delay after VM deployment).

You’ll need to pass the VM’s private IP address as a dynamic parameter in the template — this can only be fetched if the VM’s NIC resource is queryable at policy runtime.

Policy Overview

Scope: Resource type Microsoft.Compute/virtualMachines

Effect: DeployIfNotExists

Condition: VM exists and DNS A record does not exist

Deployment: Deploys an ARM template that creates an A record in your target Private DNS Zone

Assign a Managed Identity to the policy assignment:

The Managed Identity must have Contributor or Private DNS Zone Contributor rights on the DNS zone resource group.

Not real-time like auto-registration — relies on policy evaluation cycles.

Complex dependency: the policy must query VM → NIC → private IP.

The reference() chain can fail if the NIC is not yet provisioned.

Does not remove records when VMs are deleted (needs separate cleanup policy or automation).

If you don’t want full auto-registration:

Keep auto-registration disabled, but

Use a Logic App or Event Grid + Function App triggered on Microsoft.Compute/virtualMachines/write events to create or delete DNS records dynamically — faster, simpler to debug than Azure Policy.

demo user 20

Hi @Zafer KAYA Can you Please see if this policy definition is correct

{
  "properties": {
    "displayName": "VM Auto DNS Registration",
    "policyType": "Custom",
    "mode": "All",
    "description": "",
    "metadata": {
      "category": "Network",
      "createdBy": "2e755eea-6190-465e-bf2b-b2f71c61ad31",
      "createdOn": "2025-10-08T09:35:34.7907366Z",
      "updatedBy": "2e755eea-6190-465e-bf2b-b2f71c61ad31",
      "updatedOn": "2025-10-08T12:35:42.7126818Z"
    },
    "version": "1.0.0",
    "parameters": {
      "privateDnsZoneName": {
        "type": "String",
        "metadata": {
          "description": "Private DNS Zone name",
          "displayName": "Private DNS Zone Name"
        }
      },
      "recordTtl": {
        "type": "Integer",
        "metadata": {
          "description": "TTL for DNS A record.",
          "displayName": "Record TTL"
        },
        "defaultValue": 300
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.networkInterfaces[*].virtualMachine.id",
            "exists": "true"
          },
          {
            "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].privateIPAddress",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Network/privateDnsZones/A",
          "existenceCondition": {
            "field": "Microsoft.Network/privateDnsZones/A/fqdn",
            "equals": "[concat(field('name'), '.', parameters('privateDnsZoneName'))]"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
            "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "privateDnsZoneName": {
                  "value": "[parameters('privateDnsZoneName')]"
                },
                "recordTtl": {
                  "value": "[parameters('recordTtl')]"
                },
                "nicName": {
                  "value": "[field('name')]"
                },
                "nicResourceGroup": {
                  "value": "[resourceGroup().name]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneName": {
                    "type": "string"
                  },
                  "recordTtl": {
                    "type": "int"
                  },
                  "nicName": {
                    "type": "string"
                  },
                  "nicResourceGroup": {
                    "type": "string"
                  }
                },
                "variables": {
                  "nicRef": "[reference(resourceId(parameters('nicResourceGroup'), 'Microsoft.Network/networkInterfaces', parameters('nicName')), '2024-07-01', 'Full')]",
                  "privateIP": "[variables('nicRef').ipConfigurations[0].properties.privateIPAddress]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Network/privateDnsZones/A",
                    "apiVersion": "2020-06-01",
                    "name": "[concat(parameters('privateDnsZoneName'), '/', parameters('nicName'))]",
                    "location": "global",
                    "properties": {
                      "TTL": "[parameters('recordTtl')]",
                      "aRecords": [
                        {
                          "ipv4Address": "[variables('privateIP')]"
                        }
                      ]
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },   
}

Zafer KAYA 335 Reputation points MVP

2025-10-10T08:28:41.0633333+00:00
Your Azure Policy definition is mostly correct and logically structured. However, you’ll need to make a few syntax and field adjustments before deployment:

Remove the trailing comma at the end of the JSON.

Replace "exists": "true" with "exists": true (boolean).

Simplify the VM check condition to:

{ "field": "Microsoft.Network/networkInterfaces/virtualMachine.id", "exists": true }

Adjust the existenceCondition to validate the record name instead of fqdn:

{ "field": "name", "equals": "[concat(field('name'), '.', parameters('privateDnsZoneName'))]" }

After these fixes, the policy will successfully create A records in the specified Private DNS zone for VMs’ NICs that have private IPs.

demo user 20

Hi @Zafer KAYA
Its not working.
So after making the changes, I Assigned the Policy to RG. Then Compliance State went to Non compliant. This was expected
Then I did remediation step , and after remidiation its the same error I am getting from long time
"No policy evaluation result was found. The policy assignment's exclusions may have changed or it no longer exists. Please retry the remediation with 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'."

While Creating Remediation task, if did checked the checkbox, to reEvaluate, but still its failed

{
  "properties": {
    "displayName": "VM Auto DNS Registration-QnA",
    "policyType": "Custom",
    "mode": "All",
    "description": "",
    "metadata": {
      "category": "Network",
      "createdBy": "2e755eea-6190-465e-bf2b-b2f71c61ad31",
      "createdOn": "2025-10-10T10:10:50.7103889Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "version": "1.0.0",
    "parameters": {
      "privateDnsZoneName": {
        "type": "String",
        "metadata": {
          "description": "Private DNS Zone name ",
          "displayName": "Private DNS Zone Name"
        }
      },
      "recordTtl": {
        "type": "Integer",
        "metadata": {
          "description": "TTL for DNS A record.",
          "displayName": "Record TTL"
        },
        "defaultValue": 300
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkInterfaces"
          },
          {
            "field": "Microsoft.Network/networkInterfaces/virtualMachine.id",
            "exists": true
          },
          {
            "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].privateIPAddress",
            "exists": true
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Network/privateDnsZones/A",
          "existenceCondition": {
            "field": "name",
            "equals": "[concat(field('name'), '.', parameters('privateDnsZoneName'))]"
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
            "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "privateDnsZoneName": {
                  "value": "[parameters('privateDnsZoneName')]"
                },
                "recordTtl": {
                  "value": "[parameters('recordTtl')]"
                },
                "nicName": {
                  "value": "[field('name')]"
                },
                "nicResourceGroup": {
                  "value": "[resourceGroup().name]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "privateDnsZoneName": {
                    "type": "string"
                  },
                  "recordTtl": {
                    "type": "int"
                  },
                  "nicName": {
                    "type": "string"
                  },
                  "nicResourceGroup": {
                    "type": "string"
                  }
                },
                "variables": {
                  "nicRef": "[reference(resourceId(parameters('nicResourceGroup'), 'Microsoft.Network/networkInterfaces', parameters('nicName')), '2024-07-01', 'Full')]",
                  "privateIP": "[variables('nicRef').ipConfigurations[0].properties.privateIPAddress]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Network/privateDnsZones/A",
                    "apiVersion": "2020-06-01",
                    "name": "[concat(parameters('privateDnsZoneName'), '/', parameters('nicName'))]",
                    "location": "global",
                    "properties": {
                      "TTL": "[parameters('recordTtl')]",
                      "aRecords": [
                        {
                          "ipv4Address": "[variables('privateIP')]"
                        }
                      ]
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/subscriptions/2af1d55e-f028-4da8-bc48-b8a8beccd95d/providers/Microsoft.Authorization/policyDefinitions/e7ebbd719e2046558fed1ab7",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e7ebbd719e2046558fed1ab7",
  "systemData": {
    "createdBy": "******@outlook.com",
    "createdByType": "User",
    "createdAt": "2025-10-10T10:10:50.5494508Z",
    "lastModifiedBy": "******@outlook.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2025-10-10T10:10:50.5494508Z"
  }
}

Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-10-10T18:23:10.0766667+00:00

Hello @demo user,

I am currently working on a lab and will update the thread once it is completed.
demo user 20 Reputation points

2025-10-13T09:54:39.2466667+00:00

Hello @Ravi Varma Mudduluru @Zafer KAYA Any luck on this ?
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-10-13T21:50:31.4233333+00:00

Hello @demo user,

I am still working on it will provide you an update ASAP once we complete the lab

Ravi Varma Mudduluru 3,625 Microsoft External Staff Moderator

Hello @demo user,

Thank for your patience

I have used the below policy definition to trigger the remediator task from the portal.

{
  "properties": {
    "displayName": "Deploy private DNS A record for VMs (DeployIfNotExists)",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Automatically deploys an A record for VMs in a Private DNS Zone if it doesn't exist",
    "metadata": {
      "category": "custom",
      "createdBy": "764d02b4-7923-4ef3-aa29-1a4596e8fec9",
      "createdOn": "2025-10-13T19:30:44.3956146Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "version": "1.0.0",
    "parameters": {
      "privateDnsZoneResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "Private DNS Zone resourceId",
          "description": "ResourceId of the private DNS zone (example: /subscriptions/subscription ID/resourceGroups/rg/providers/Microsoft.Network/privateDnsZones/xxxx)"
        }
      },
      "recordTtl": {
        "type": "Integer",
        "metadata": {
          "displayName": "TTL (seconds)"
        },
        "defaultValue": 300
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          }
        ]
      },
      "then": {
        "effect": "DeployIfNotExists",
        "details": {
          "type": "Microsoft.Network/privateDnsZones/A",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f"
          ],
          "existenceCondition": {
            "field": "name",
            "like": "[concat(last(split(parameters('privateDnsZoneResourceId'), '/')), '/', toLower(field('name')))]"
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "vmName": {
                  "value": "[field('name')]"
                },
                "privateDnsZoneResourceId": {
                  "value": "[parameters('privateDnsZoneResourceId')]"
                },
                "ttl": {
                  "value": "[parameters('recordTtl')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vmName": {
                    "type": "string"
                  },
                  "privateDnsZoneResourceId": {
                    "type": "string"
                  },
                  "ttl": {
                    "type": "int"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Network/privateDnsZones/A",
                    "apiVersion": "2024-06-01",
                    "name": "[concat(last(split(parameters('privateDnsZoneResourceId'), '/')), '/', toLower(parameters('vmName')))]",
                    "properties": {
                      "ttl": "[parameters('ttl')]",
                      "aRecords": [
                        {
                          "ipv4Address": "[reference(resourceId('Microsoft.Network/networkInterfaces', first(reference(resourceId('Microsoft.Compute/virtualMachines', parameters('vmName')),'2024-04-01').networkProfile.networkInterfaces).id), '2024-04-01').ipConfigurations[0].properties.privateIPAddress]"
                        }
                      ]
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/subscriptions/subscrption ID/providers/Microsoft.Authorization/policyDefinitions/f6ed708017ae4459ab34ea56",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f6ed708017ae4459ab34ea56",
  "systemData": {
    "createdBy": "@microsoft.com",
    "createdByType": "User",
    "createdAt": "2025-10-13T19:30:44.3387107Z",
    "lastModifiedBy": "@microsoft.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2025-10-13T19:30:44.3387107Z"
  }
}

Even i am getting the same error "No policy evaluation result was found. The policy assignment's exclusions may have changed or it no longer exists. Please retry the remediation with 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'."

I am looking into this internally to see how we can resolve the issue and will update you once I have more information.

demo user 20 Reputation points

2025-10-15T05:57:20.21+00:00

Hi @Ravi Varma Mudduluru
Ther are Multiple ways , and the best what I figured out is using the network Interface.
But any ways what ever solution I am trying they are giving two error
"No policy evaluation result was found. The policy assignment's exclusions may have changed or it no longer exists. Please retry the remediation with 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'."

or

Error :

Reason for non-compliance

No related resources match the effect details in the policy definition. (Error code: ResourceNotFound)

Existence condition

Type

Microsoft.Network/privateDnsZones/A

Thanks for investigating, will wait for your further comments
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-16T08:26:56.2+00:00
Hi demo user,

Good day, i hope you are great!

Thank you for your detailed updates and efforts in troubleshooting this issue.

The errors you are encountering, specifically "No policy evaluation result was found" and "ResourceNotFound," typically indicate that the policy evaluation process is not able to find resources matching the defined conditions or that the policy's scope/exclusions may need adjustment.

To troubleshoot further, I recommend verifying the following:

Ensure the policy assignment is correctly scoped to include the target resources (such as the VM or NICs).

Confirm that the resource IDs and parameters provided in the policy are accurate and match the existing resources.

Reattempt remediation with ResourceDiscoveryMode set to ReEvaluateCompliance to force a re-evaluation of resource compliance.

It may also be worthwhile to:

Double-check that the policy's existenceCondition accurately reflects the resource naming and structure.

Confirm that the managed identity assigned to the policy has sufficient permissions on all related resources.

Let me know if you want any assistance on this, thanks again for your patience!

Thanks,

Harish.
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-22T03:15:39.2766667+00:00

Hi demo user,

Greetings for the day, i hope you are doing great!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
demo user 20 Reputation points

2025-10-23T05:27:02.79+00:00

Hi @Harish Peddapally
Thanks for your Follow up
Yes I was able to solve the issue, I used Azure Policy (Json) + Shell script or Powershell (Based on OS) + Azure API to make this automation.
Still working on the further refinements

Thanks

Answer accepted by question author

0 additional answers

Your answer

Zafer KAYA 335 Reputation points MVP

2025-10-09T08:37:16.4733333+00:00

Yes — it’s technically possible to create an Azure Policy (DeployIfNotExists) that deploys an A record in a Private DNS Zone for each VM after it’s created, but with limitations:

The policy must use a managed identity that has permissions to write to the Private DNS Zone.

You must use a DeployIfNotExists effect that triggers an ARM (or Bicep) template to create the record.

The policy will only run after the VM exists, so it’s not truly instant (there’s a short delay after VM deployment).

You’ll need to pass the VM’s private IP address as a dynamic parameter in the template — this can only be fetched if the VM’s NIC resource is queryable at policy runtime.

Policy Overview

Scope: Resource type Microsoft.Compute/virtualMachines

Effect: DeployIfNotExists

Condition: VM exists and DNS A record does not exist

Deployment: Deploys an ARM template that creates an A record in your target Private DNS Zone

Assign a Managed Identity to the policy assignment:

The Managed Identity must have Contributor or Private DNS Zone Contributor rights on the DNS zone resource group.

Not real-time like auto-registration — relies on policy evaluation cycles.

Complex dependency: the policy must query VM → NIC → private IP.

The reference() chain can fail if the NIC is not yet provisioned.

Does not remove records when VMs are deleted (needs separate cleanup policy or automation).

If you don’t want full auto-registration:

Keep auto-registration disabled, but

Use a Logic App or Event Grid + Function App triggered on Microsoft.Compute/virtualMachines/write events to create or delete DNS records dynamically — faster, simpler to debug than Azure Policy.
Zafer KAYA 335 Reputation points MVP

2025-10-10T08:28:41.0633333+00:00

Your Azure Policy definition is mostly correct and logically structured. However, you’ll need to make a few syntax and field adjustments before deployment:

Remove the trailing comma at the end of the JSON.

Replace "exists": "true" with "exists": true (boolean).

Simplify the VM check condition to:

{ "field": "Microsoft.Network/networkInterfaces/virtualMachine.id", "exists": true }

Adjust the existenceCondition to validate the record name instead of fqdn:

{ "field": "name", "equals": "[concat(field('name'), '.', parameters('privateDnsZoneName'))]" }

After these fixes, the policy will successfully create A records in the specified Private DNS zone for VMs’ NICs that have private IPs.
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-10-10T18:23:10.0766667+00:00

Hello @demo user,

I am currently working on a lab and will update the thread once it is completed.
demo user 20 Reputation points

2025-10-13T09:54:39.2466667+00:00

Hello @Ravi Varma Mudduluru @Zafer KAYA Any luck on this ?
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator

2025-10-13T21:50:31.4233333+00:00

Hello @demo user,

I am still working on it will provide you an update ASAP once we complete the lab
demo user 20 Reputation points

2025-10-15T05:57:20.21+00:00

Hi @Ravi Varma Mudduluru
Ther are Multiple ways , and the best what I figured out is using the network Interface.
But any ways what ever solution I am trying they are giving two error
"No policy evaluation result was found. The policy assignment's exclusions may have changed or it no longer exists. Please retry the remediation with 'ResourceDiscoveryMode' set to 'ReEvaluateCompliance'."

or

Error :

Reason for non-compliance

No related resources match the effect details in the policy definition. (Error code: ResourceNotFound)

Existence condition

Type

Microsoft.Network/privateDnsZones/A

Thanks for investigating, will wait for your further comments
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-16T08:26:56.2+00:00

Hi demo user,

Good day, i hope you are great!

Thank you for your detailed updates and efforts in troubleshooting this issue.

The errors you are encountering, specifically "No policy evaluation result was found" and "ResourceNotFound," typically indicate that the policy evaluation process is not able to find resources matching the defined conditions or that the policy's scope/exclusions may need adjustment.

To troubleshoot further, I recommend verifying the following:

Ensure the policy assignment is correctly scoped to include the target resources (such as the VM or NICs).

Confirm that the resource IDs and parameters provided in the policy are accurate and match the existing resources.

Reattempt remediation with ResourceDiscoveryMode set to ReEvaluateCompliance to force a re-evaluation of resource compliance.

It may also be worthwhile to:

Double-check that the policy's existenceCondition accurately reflects the resource naming and structure.

Confirm that the managed identity assigned to the policy has sufficient permissions on all related resources.

Let me know if you want any assistance on this, thanks again for your patience!

Thanks,

Harish.
Harish Peddapally 1,670 Reputation points Microsoft External Staff Moderator

2025-10-22T03:15:39.2766667+00:00

Hi demo user,

Greetings for the day, i hope you are doing great!

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.
demo user 20 Reputation points

2025-10-23T05:27:02.79+00:00

Hi @Harish Peddapally
Thanks for your Follow up
Yes I was able to solve the issue, I used Azure Policy (Json) + Shell script or Powershell (Based on OS) + Azure API to make this automation.
Still working on the further refinements

Thanks

Answer 1

Hi demo user,

Welcome to Microsoft Q&A and thank you for posting your query here!

Creating A records for VMs in Azure Private DNS zones using Azure Policy (DeployIfNotExists) is indeed possible but presents notable practical challenges and limitations, which can cause the errors you experienced such as:

"No policy evaluation result was found" — often due to timing issues where the policy runs before the VM’s network interface (NIC) and private IP are queryable.

"ResourceNotFound" for existence conditions — when the DNS record name or resource is not matching exactly or available at the evaluation time.

Reference chaining (VM → NIC → Private IP) can fail if resources are not provisioned or accessible during policy evaluation.

Remediation tasks requiring ResourceDiscoveryMode set to ReEvaluateCompliance sometimes still don't resolve compliance due to scope or timing issues.

Key reasons for difficulties:

The policy evaluates asynchronously after VM creation, meaning NIC and IP details may not be ready, breaking references.
The DNS A record existence condition must precisely match naming conventions in the private DNS zone, including case sensitivity.
The pure DeployIfNotExists effect in policy lacks instant or real-time registration and cannot automatically clean up records after VM deletion.

Recommended practical approach:

As you found, combining Azure Policy with custom automation scripts (PowerShell or shell) and the Azure REST API is the best reliable pattern:

Use Azure Policy to detect non-compliant VMs (without DNS A records).
Trigger an automated remediation task running a script with a Managed Identity having Private DNS Zone Contributor rights.
This script queries the VM’s NIC to retrieve its private IP and creates/updates the corresponding A record using the Azure REST API.
This hybrid method avoids the pitfalls of direct DeployIfNotExists ARM template references and improves control, logging, and error handling.

Additional recommendations:

Verify the Managed Identity used in policy remediation has appropriate permissions on Private DNS zone resource groups.
Carefully confirm that existence conditions in your policy accurately reflect your DNS naming scheme.
Scope the policy assignment correctly to cover VMs or NICs as needed.
Disable Azure VM auto-registration if you want full control through policy and automation.
Always specify ResourceDiscoveryMode as ReEvaluateCompliance during remediation to force policy re-evaluation.
Consider using Azure built-in policies or initiatives related to Private DNS and Private Link where applicable.

References for further study:

Azure Policy definition structure and DeployIfNotExists effect: https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure
Troubleshooting ARM deployment errors such as ResourceNotFound: https://learn.microsoft.com/azure/azure-resource-manager/troubleshooting/common-deployment-errors
Private DNS zone management best practices and records overview: https://learn.microsoft.com/azure/dns/private-dns-overview

Your solution using Azure Policy combined with scripts and API automation is the recommended path when you don’t want to rely on Azure VM auto-registration. This hybrid approach is flexible, reliable, and easier to maintain.

Feel free to reach out to us if you need any assistance on this!

If the information resolved your issue, kindly consider accepting the answer — it will help others who might be facing similar challenges.

Thanks,

Harish.

Share via

How Can I add A record PriateDNS zones, for VM that is created in same DNZ zone

0 additional answers

Your answer