Diff Ignore List
Browse, search, add, and remove tenant-wide ignore rules. Open Settings > Ignore List from the left sidebar. The page header reads Data Exclusions, this documentation covers the Diff Ignore List section on that page.
On This Page
Permissions
Viewing the rule list requires read access to ignore rules. Adding and removing rules requires write access. Without write access, the Add Rule button and trash icons are disabled.
Two Sections, Same Page
The Data Exclusions page hosts two unrelated features:
- Scope Exclusions, at the top of the page, controls which management groups, subscriptions, or resource groups get scanned. See Scope Exclusions in the Automated Scanning docs.
- Diff Ignore List, below it, holds the property-level rules covered on this page.
The left sidebar still calls this entry Ignore List even though the page header reads Data Exclusions.
The Rule Table
Every rule appears as a row in a sortable table with three columns:
- Property Key
- The exact property key the rule matches. Examples:
etag,properties.provisioningState,properties.subnets[].properties.addressPrefix. - Resource Type
- A pill showing the Azure resource type the rule applies to, or Global when it applies to every resource type.
- Actions
- A red trash icon. Opens the Remove Ignore Rule confirmation dialog.
Default rules look the same as custom rules
Around 35 default rules ship with every install. They appear in the table from day one and behave identically to rules you add yourself. You can remove any of them.
Search and Filter
Two controls sit above the table:
- Search Property Keys
- Type any part of a key to filter the table. Matches the property key only, not the resource type.
- Filter by Resource Type
- Dropdown with All types, Global, and an entry for every Azure resource type that has at least one rule. Disabled when the rule list is empty.
Search and filter combine
A property-key search and a resource-type filter are AND-ed together. Use both to home in on a specific rule fast.
Adding a Rule
Click Add Rule at the top-right of the Diff Ignore List section. The Add Ignore Rule dialog opens.
Advanced Feature
The dialog itself displays a yellow warning: "Advanced feature, requires exact property path knowledge. Most users should add ignore rules from the Changes view instead." The eye-slash workflow in the diff is faster and avoids typos. See Comparing Scans.
- Type the Property Key. Required. The dialog shows three example formats:
- Simple keys:
etag,provisioningState,timestamp - Nested paths:
properties.vmId,properties.instanceView - Array paths:
properties.privateEndpointConnections[].properties.provisioningState
- Simple keys:
- Optionally type a Resource Type. Placeholder reads e.g., Microsoft.Compute/virtualMachines (leave empty for global). Leaving it empty creates a Global rule.
- Click Add Rule. The button stays disabled until Property Key has content.
Array paths must use empty brackets
Use properties.subnets[].properties.name, not properties.subnets[0].properties.name. Indexed array paths won't match anything.
Use the Changes diff for nested paths
For a rule that targets a specific nested property tied to a resource type, the eye-slash button in the Changes diff is the recommended path, it picks up the exact property you clicked on.
Removing a Rule
Click the trash icon in the Actions column. The Remove Ignore Rule dialog opens with:
- Property Key
- The key being removed.
- Resource Type
- The resource type, or All Resources when the rule is Global.
Confirm with Remove Rule (red button) or back out with Cancel.
Removal cannot be undone
The dialog body reads: "This action cannot be undone and will immediately remove this ignore rule." The property starts appearing in the Changes view from the moment you confirm. To restore the rule, add it back manually.
Behavior
Rules are tenant-wide
Every rule applies to every user, every comparison, and every future scan. Add and remove with care.
Duplicate rules are silently ignored
If a new rule matches an existing one on key and resource type, nothing is added, the form just closes. No error, no duplicate row.
Global rules apply to every resource type
A rule labeled Global applies to every Azure resource type. Leave the resource-type field empty when adding a rule to make it Global.
Audit log records every change
Each add and remove writes an audit entry tagged with the user. Useful when reviewing why a default rule disappeared.
Troubleshooting
I added a rule but it's not hiding the changes I expected
What to check
Most likely the rule's Resource Type doesn't match the resource you're inspecting, or the path doesn't include the properties. prefix where it should.
Add the rule from the Changes diff instead, that flow auto-detects path vs. field-name and uses the exact path the diff shows. See Comparing Scans.
I deleted a default rule and now the diff is full of etag changes
What to check
Re-add it: Property Key = etag, Resource Type empty (Global), then Add Rule. The default rule list is documented to cover Azure platform metadata, removing entries from it is what causes platform churn to reappear.
The Add Rule dialog won't accept my path
What to check
Confirm the path matches one of the example formats shown in the dialog. The fastest way to avoid syntax issues is to add the rule from the Changes diff, the eye-slash button uses the exact path automatically. See Comparing Scans.
I don't see the Add Rule or trash buttons
What to check
You don't have write access to ignore rules. Ask your tenant admin to update your role.
My search finds nothing but I know the rule exists
What to check
The search box only matches against the property key, not the resource type. Switch to the Filter by Resource Type dropdown to find rules by type, or shorten your search to a fragment of the key.