| Allowed Storage Account SKUs | Deny | Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes. |
| Allowed Resource Type | Deny | Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list. |
| Allowed Locations | Deny | Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements. |
| Allowed Virtual Machine SKUs | Deny | Specifies a set of virtual machine SKUs that you can deploy. |
| Add a tag to resources | Modify | Applies a required tag and its default value if it's not specified by the deploy request. |
| Not allowed resource types | Deny | Prevents a list of resource types from being deployed. |