How to resolve Azure Image Builder issue “Internal error occurred”

“Internal error occurred” is probably the vaguest error there is in the wider IT landscape. The other day, just like any other day before, we tried to deploy several new Azure Virtual Desktop Image Templates with Azure Image Builder. Now for some reason, all of these deployments started failing with the following message.

The first step was to investigate the common errors on the Microsoft Docs site. The only active reference on the troubleshooting page is to review the permissions of your managed identity. Being 100% sure that this managed identity had the right set of permissions, I verified my Custom Role definition for completeness. And yes, indeed, I had the right set of permissions.

After some investigation with Microsoft support, we got some more insights into the back-end error details. Retrying our deployment now didn’t end in an “Internal Error occurred” message. We now got full details on the error message. Pointing us directly to the underlying issue.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"ValidationFailed","message":"Validation failed: Code=\"RequestDisallowedByPolicy\" Message=\"Resource 'xrqw5ms0znrqljagy2uoc6v7' was disallowed by policy. Policy identifiers: '[{\\\"policyAssignment\\\":{\\\"name\\\":\\\"Default - Governance\\\",\\\"id\\\":\\\"/subscriptions/d97b150c-eb85-48a8-b30f-3bc8da9d3128/providers/Microsoft.Authorization/policyAssignments/Default - Governance\\\"},\\\"policyDefinition\\\":{\\\"name\\\":\\\"Storage accounts should be limited by allowed SKUs\\\",\\\"id\\\":\\\"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1\\\"},\\\"policySetDefinition\\\":{\\\"name\\\":\\\"Default - Governance\\\",\\\"id\\\":\\\"/subscriptions/subscriptionid/providers/Microsoft.Authorization/policySetDefinitions/Default - Governance\\\"}}]'.\" Target=\"xrqw5ms0znrqljagy2uoc6v7\" AdditionalInfo=[{\"info\":{\"evaluationDetails\":{\"evaluatedExpressions\":[{\"expression\":\"type\",\"expressionKind\":\"Field\",\"expressionValue\":\"Microsoft.Storage/storageAccounts\",\"operator\":\"Equals\",\"path\":\"type\",\"result\":\"True\",\"targetValue\":\"Microsoft.Storage/storageAccounts\"},{\"expression\":\"Microsoft.Storage/storageAccounts/sku.name\",\"expressionKind\":\"Field\",\"expressionValue\":\"Standard_ZRS\",\"operator\":\"In\",\"path\":\"sku.name\",\"result\":\"False\",\"targetValue\":[\"Premium_LRS\",\"Standard_LRS\"]}]},\"policyAssignmentDisplayName\":\"Default - Governance\",\"policyAssignmentId\":\"/subscriptions/subscriptionid/providers/Microsoft.Authorization/policyAssignments/Default - Governance\",\"policyAssignmentName\":\"Default - Governance\",\"policyAssignmentScope\":\"/subscriptions/subscriptionid\",\"policyDefinitionDisplayName\":\"Storage accounts should be limited by allowed SKUs\",\"policyDefinitionEffect\":\"Deny\",\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1\",\"policyDefinitionName\":\"7433c107-6db4-4ad1-b57a-a76dce0154a1\",\"policyDefinitionReferenceId\":\"12968143408852908784\",\"policySetDefinitionDisplayName\":\"Default - Governance\",\"policySetDefinitionId\":\"/subscriptions/subscriptionid/providers/Microsoft.Authorization/policySetDefinitions/Default - Governance\",\"policySetDefinitionName\":\"Default - Governance\"},\"type\":\"PolicyViolation\"}]"}]}”

An Azure Policy assignment which only allowed Standard_LRS and Premium_LRS, was getting in our way. It turns out that Azure Image Builder is now using Standard_ZRS storage to build its images.

Tip: When using Azure Image Builder, try to exclude the AIB Resource Group from Azure Policy or review potential blocking policies

After we changed our policy assignment to include Standard_ZRS storage, our Image Building continued to work as before.
Currently, it’s unclear whether or not Microsoft changed something to the back-end storage of the Image template. So my advice, review your Azure Policies if you suddenly started experiencing issues with Azure Image Builder.

Thank you!

Thank you for reading through this blog post. I hope I have been able to assist you in troubleshooting Azure Image builder issues.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

2 thoughts on “How to resolve Azure Image Builder issue “Internal error occurred”

Leave a Reply

Your email address will not be published. Required fields are marked *

Please reload

Please Wait