Issue adding default ruleset Microsoft_DefaultRuleSet 2.1 to WAF policy for Azure Front Door Premium

[hgjura]

Describe the bug

I am trying to create a WAF Policy and assign it the Microsoft_DefaultRuleSet 2.1.
I am using Azure CLI 2.76,0

I am getting this error: "(BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
Code: BadRequest"

I have tried way too many options and it seems the only way to get this working is by creating an ARM file and deploy it as ARM. Which I don't want to do since, that is why the CLI is there for.

Also, this fails after the WAF has ben created and it happens when it tries to add the default ruleset. If I do this manually in the portal works just fine.

Thanks.

    #  "azure-cli": "2.76.0"

    #!/bin/bash
    
    resource_group="shared-rg"
    policy_name="wafpolicy01"
    mode="Prevention"
    DEFAULT_RULESET_TYPE="Microsoft_DefaultRuleSet"
    DEFAULT_RULESET_VERSION="2.1"
    DEFAULT_SKU="Premium_AzureFrontDoor"


    echo "Creating WAF policy with Microsoft Default Rule Set ..."
    
    az network front-door waf-policy create \
        --resource-group "$resource_group" \
        --name "$policy_name" \
        --sku "$DEFAULT_SKU" \
        --mode "$mode" \
        --only-show-errors \
        --output none

    echo "Adding Microsoft Default Rule Set ..."

    az network front-door waf-policy managed-rules add \
        --resource-group "$resource_group" \
        --policy-name "$policy_name" \
        --type "$DEFAULT_RULESET_TYPE" \
        --version "$DEFAULT_RULESET_VERSION" \
        --only-show-errors \
        --output none

Related command

az network front-door waf-policy managed-rules add

Errors

(BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
Code: BadRequest"

Issue script & Debug output

[INFO] Adding Microsoft Default Rule Set v2.1...
cli.knack.cli: Command arguments: ['network', 'front-door', 'waf-policy', 'managed-rules', 'add', '--resource-group', 'shared-rg', '--policy-name', 'testwafpolicy2', '--type', 'Microsoft_DefaultRuleSet', '--version', '2.1', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x102fef2e0>, <function OutputProducer.on_global_arguments at 0x1031b8360>, <function CLIQuery.on_global_arguments at 0x1031d5b20>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_front_door']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: network 0.218 120 368
cli.azure.cli.core: privatedns 0.005 14 60
cli.azure.cli.core: Total (2) 0.223 134 428
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: front-door 0.014 19 77 /Users/hgjura/.azure/cliextensions/front-door
cli.azure.cli.core: Total (1) 0.014 19 77
cli.azure.cli.core: Loaded 151 groups, 505 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network front-door waf-policy managed-rules add
cli.azure.cli.core: Command table: network front-door waf-policy managed-rules add
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x104617c40>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/hgjura/.azure/commands/2025-08-10.16-13-13.network_front-door_waf-policy_managed-rules_add.99301.log'.
az_command_data_logger: command args: network front-door waf-policy managed-rules add --resource-group {} --policy-name {} --type {} --version {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x104664860>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x104667100>, <function register_cache_arguments..add_cache_arguments at 0x104667240>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x1046672e0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x1031b8400>, <function CLIQuery.handle_query_parameter at 0x1031d5bc0>, <function register_ids_argument..parse_ids_arguments at 0x1046671a0>]
az_command_data_logger: extension name: front-door
az_command_data_logger: extension version: 1.3.0
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=FrontDoorManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/hgjura/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/hgjura/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4
msal.authority: openid_config("https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/f0b13894-da42-4e32-a1fd-5b22ebdc47f4/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: d0e560da-58fe-4dfd-a06b-33f9f09176e8
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af'
cli.azure.cli.core.sdk.policies: 'CommandName': 'network front-door waf-policy managed-rules add'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --policy-name --type --version --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (HOMEBREW) azsdk-python-core/1.35.0 Python/3.12.11 (macOS-15.6-arm64-arm-64bit)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01 HTTP/1.1" 200 763
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '763'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'c31a6fef-c41a-4209-b4af-ae7c30ce4369'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'c28fca01-3284-425e-8ae3-dcba80c2e32c'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'CANADACENTRAL:20250810T201313Z:c28fca01-3284-425e-8ae3-dcba80c2e32c'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 12E62E8F2C2444A7B733BD41A6C893F2 Ref B: YQ1AA2090602031 Ref C: 2025-08-10T20:13:13Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Sun, 10 Aug 2025 20:13:12 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourcegroups/shared-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testwafpolicy2","type":"Microsoft.Network/frontdoorwebapplicationfirewallpolicies","name":"testwafpolicy2","location":"Global","tags":{},"sku":{"name":"Premium_AzureFrontDoor"},"properties":{"policySettings":{"enabledState":"Enabled","mode":"Prevention","redirectUrl":null,"customBlockResponseStatusCode":null,"customBlockResponseBody":null,"requestBodyCheck":"Enabled","javascriptChallengeExpirationInMinutes":30,"logScrubbing":null},"customRules":{"rules":[]},"managedRules":{"managedRuleSets":[]},"frontendEndpointLinks":[],"securityPolicyLinks":[],"resourceState":"Enabled","provisioningState":"Succeeded"}}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '378'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af'
cli.azure.cli.core.sdk.policies: 'CommandName': 'network front-door waf-policy managed-rules add'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --policy-name --type --version --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.76.0 (HOMEBREW) azsdk-python-core/1.35.0 Python/3.12.11 (macOS-15.6-arm64-arm-64bit)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"location": "Global", "tags": {}, "sku": {"name": "Premium_AzureFrontDoor"}, "properties": {"policySettings": {"enabledState": "Enabled", "mode": "Prevention", "requestBodyCheck": "Enabled", "javascriptChallengeExpirationInMinutes": 30}, "customRules": {"rules": []}, "managedRules": {"managedRuleSets": [{"ruleSetType": "Microsoft_DefaultRuleSet", "ruleSetVersion": "2.1"}]}}}
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/9f67224d-0a46-439a-bb56-f7f7acdee1e3/resourceGroups/shared-rg/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/testwafpolicy2?api-version=2024-02-01 HTTP/1.1" 400 178
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '178'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=f0b13894-da42-4e32-a1fd-5b22ebdc47f4,objectId=35105e9c-c883-4b30-a51b-f6c135afffa1/canadacentral/139bee86-c583-4c07-aba9-1af65e7ac840'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'a5044987-2856-497f-8454-04bcaa2d0465'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '7141b2ca-7626-11f0-893a-5219b79f62af'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '199'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-writes': '2999'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '443b74a9-7b9f-4985-ab60-5cc0afc38f1f'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'CANADACENTRAL:20250810T201313Z:443b74a9-7b9f-4985-ab60-5cc0afc38f1f'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 6FAD3398D2774F5D976B0E104B926C8D Ref B: YQ1AA2090602031 Ref C: 2025-08-10T20:13:13Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Sun, 10 Aug 2025 20:13:13 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
"error": {
"code": "BadRequest",
"message": "WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported."."
}
}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/Users/hgjura/.azure/cliextensions/front-door/azext_front_door/custom.py", line 841, in add_azure_managed_rule_set
return client.begin_create_or_update(resource_group_name, policy_name, policy)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 119, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/Users/hgjura/.azure/cliextensions/front-door/azext_front_door/vendored_sdks/operations/_policies_operations.py", line 624, in begin_create_or_update
raw_result = self._create_or_update_initial(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/hgjura/.azure/cliextensions/front-door/azext_front_door/vendored_sdks/operations/_policies_operations.py", line 519, in _create_or_update_initial
raise HttpResponseError(response=response, model=error, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".

cli.azure.cli.core.azclierror: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
az_command_data_logger: (BadRequest) WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
Code: BadRequest
Message: WebApplicationFirewallPolicy validation failed. More information "This rule set action value is not supported.".
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x104617ec0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.055 seconds (init: 0.073, invoke: 0.983)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4407 in cache file under /Users/hgjura/.azure/telemetry/20250810161313943
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.76.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.76.0/libexec/lib/python3.12/site-packages/azure/cli/telemetry/init.py /Users/hgjura/.azure /Users/hgjura/.azure/telemetry/20250810161313943"
telemetry.process: Return from creating process 99306
telemetry.main: Finish creating telemetry upload process.

Expected behavior

This should be able to add the default ruleset , in this case 2.1, with no errors.

Environment Summary

azure-cli 2.76.0

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.