Describe the bug
As per the public doc - https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/managed-rule/rule-set?view=azure-cli-latest
We can use the azure command without specifying the rule id's , but cli is throwing an error
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
--rules and --rule-group-name must be provided at the same time
I tested in powershell and it worked
PS C:\Users\maruthikolli> $policy = Get-AzApplicationGatewayFirewallPolicy -Name "Maruthi3rdWAF-eastus2euap"
-ResourceGroupName "MaruthiRGNRP2-eastus2euap"
PS C:\Users\maruthikolli> $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides =
$policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides | Where-Object { $_.RuleGroupName -ne "LFI" }
PS C:\Users\maruthikolli> Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
ResourceGroupName Name Location
MaruthiRGNRP2-eastus2euap Maruthi3rdWAF-eastus2euap eastus2euap
PS C:\Users\maruthikolli> $policy = Get-AzApplicationGatewayFirewallPolicy -Name "Maruthi3rdWAF-eastus2euap"
-ResourceGroupName "MaruthiRGNRP2-eastus2euap"
PS C:\Users\maruthikolli> $lfiOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride
-RuleGroupName "LFI"
PS C:\Users\maruthikolli> $rfiOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride
-RuleGroupName "RFI"
PS C:\Users\maruthikolli> $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides = @($lfiOverride,
$rfiOverride)
PS C:\Users\maruthikolli> Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
ResourceGroupName Name Location
MaruthiRGNRP2-eastus2euap Maruthi3rdWAF-eastus2euap eastus2euap
Verification:
PS C:\Users\maruthikolli> $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides | Format-Table RuleGroupName
RuleGroupName
LFI
RFI
Related command
az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
Errors
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
--rules and --rule-group-name must be provided at the same time
Issue script & Debug output
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
--rules and --rule-group-name must be provided at the same time
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI --debug
cli.knack.cli: Command arguments: ['network', 'application-gateway', 'waf-policy', 'managed-rule', 'rule-set', 'update', '--policy-name', 'Maruthi3rdWAF-eastus2euap', '-g', 'MaruthiRGNRP2-eastus2euap', '--type', 'Microsoft_DefaultRuleSet', '--version', '2.1', '--group-name', 'LFI', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f180ebe7880>, <function OutputProducer.on_global_arguments at 0x7f180e8e7e20>, <function CLIQuery.on_global_arguments at 0x7f180e929260>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Using packaged command index for profile 'latest'.
cli.azure.cli.core: Found installed extension 'ml' (azext_mlv2).
cli.azure.cli.core: Blending packaged core index with local extension index.
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: privatedns 0.129 14 60
cli.azure.cli.core: network 0.510 124 386
cli.azure.cli.core: Total (2) 0.514 138 446
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 137 groups, 446 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network application-gateway waf-policy managed-rule rule-set update
cli.azure.cli.core: Command table: network application-gateway waf-policy managed-rule rule-set update
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f180e675260>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/naga/.azure/commands/2026-04-27.15-38-59.network_application-gateway_waf-policy_managed-rule_rule-set_update.794.log'.
az_command_data_logger: command args: network application-gateway waf-policy managed-rule rule-set update --policy-name {} -g {} --type {} --version {} --group-name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f180e6beb60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f180e6bf6a0>, <function register_global_policy_argument..add_global_policy_argument at 0x7f180e6bf7e0>, <function register_cache_arguments..add_cache_arguments at 0x7f180e6bf880>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x7f180e6bf920>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f180e8e7ec0>, <function CLIQuery.handle_query_parameter at 0x7f180e929300>, <function register_ids_argument..parse_ids_arguments at 0x7f180e6bf740>]
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 665, in execute
self._validation(expanded_arg)
File "/usr/lib64/az/lib/python3.12/site-packages/knack/invocation.py", line 111, in _validation
self._validate_cmd_level(parsed_ns, cmd_validator)
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 1001, in _validate_cmd_level
cmd_validator(**self._build_kwargs(cmd_validator, ns))
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/network/_validators.py", line 975, in process_appgw_waf_policy_update
raise CLIError('--rules and --rule-group-name must be provided at the same time')
knack.util.CLIError: --rules and --rule-group-name must be provided at the same time
cli.azure.cli.core.azclierror: --rules and --rule-group-name must be provided at the same time
az_command_data_logger: --rules and --rule-group-name must be provided at the same time
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f180e6754e0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 0.776 seconds (init: 0.070, invoke: 0.706)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4255 in cache file under /home/naga/.azure/telemetry/20260427153900207
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.12 /usr/lib/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/naga/.azure /home/naga/.azure/telemetry/20260427153900207"
telemetry.process: Return from creating process 805
telemetry.main: Finish creating telemetry upload process.
Expected behavior
No need to specify ruleId also . Basically ruleId should NOT be a mandatory option as exposed in the public doc https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/managed-rule/rule-set?view=azure-cli-latest
Environment Summary
PS /home/naga> az --version
azure-cli 2.85.0
core 2.85.0
telemetry 1.1.0
Extensions:
ml 2.42.0
ssh 2.0.6
Dependencies:
msal 1.35.1
azure-mgmt-resource 24.0.0
Python location '/usr/bin/python3.12'
Config directory '/home/naga/.azure'
Extensions directory '/home/naga/.azure/cliextensions'
Extensions system directory '/usr/lib/python3.12/site-packages/azure-cli-extensions'
Python (Linux) 3.12.9 (main, Mar 26 2026, 23:21:55) [GCC 13.2.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
PS /home/naga>
Additional context
No response
Describe the bug
As per the public doc - https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/managed-rule/rule-set?view=azure-cli-latest
We can use the azure command without specifying the rule id's , but cli is throwing an error
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
--rules and --rule-group-name must be provided at the same time
I tested in powershell and it worked
PS C:\Users\maruthikolli> $policy = Get-AzApplicationGatewayFirewallPolicy -Name "Maruthi3rdWAF-eastus2euap"
-ResourceGroupName "MaruthiRGNRP2-eastus2euap"
PS C:\Users\maruthikolli> $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides =
$policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides | Where-Object { $_.RuleGroupName -ne "LFI" }
PS C:\Users\maruthikolli> Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
ResourceGroupName Name Location
MaruthiRGNRP2-eastus2euap Maruthi3rdWAF-eastus2euap eastus2euap
PS C:\Users\maruthikolli> $policy = Get-AzApplicationGatewayFirewallPolicy -Name "Maruthi3rdWAF-eastus2euap"
-ResourceGroupName "MaruthiRGNRP2-eastus2euap"
PS C:\Users\maruthikolli> $lfiOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride
-RuleGroupName "LFI"
PS C:\Users\maruthikolli> $rfiOverride = New-AzApplicationGatewayFirewallPolicyManagedRuleGroupOverride
-RuleGroupName "RFI"
PS C:\Users\maruthikolli> $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides = @($lfiOverride,
$rfiOverride)
PS C:\Users\maruthikolli> Set-AzApplicationGatewayFirewallPolicy -InputObject $policy
ResourceGroupName Name Location
MaruthiRGNRP2-eastus2euap Maruthi3rdWAF-eastus2euap eastus2euap
Verification:
PS C:\Users\maruthikolli> $policy.ManagedRules.ManagedRuleSets[0].RuleGroupOverrides | Format-Table RuleGroupName
RuleGroupName
LFI
RFI
Related command
az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
Errors
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
--rules and --rule-group-name must be provided at the same time
Issue script & Debug output
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI
--rules and --rule-group-name must be provided at the same time
PS /home/naga> az network application-gateway waf-policy managed-rule rule-set update --policy-name Maruthi3rdWAF-eastus2euap -g MaruthiRGNRP2-eastus2euap --type Microsoft_DefaultRuleSet --version 2.1 --group-name LFI --debug
cli.knack.cli: Command arguments: ['network', 'application-gateway', 'waf-policy', 'managed-rule', 'rule-set', 'update', '--policy-name', 'Maruthi3rdWAF-eastus2euap', '-g', 'MaruthiRGNRP2-eastus2euap', '--type', 'Microsoft_DefaultRuleSet', '--version', '2.1', '--group-name', 'LFI', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f180ebe7880>, <function OutputProducer.on_global_arguments at 0x7f180e8e7e20>, <function CLIQuery.on_global_arguments at 0x7f180e929260>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Using packaged command index for profile 'latest'.
cli.azure.cli.core: Found installed extension 'ml' (azext_mlv2).
cli.azure.cli.core: Blending packaged core index with local extension index.
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns']
cli.azure.cli.core: Loading command modules...
cli.azure.cli.core: Loaded command modules in parallel:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: privatedns 0.129 14 60
cli.azure.cli.core: network 0.510 124 386
cli.azure.cli.core: Total (2) 0.514 138 446
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 137 groups, 446 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network application-gateway waf-policy managed-rule rule-set update
cli.azure.cli.core: Command table: network application-gateway waf-policy managed-rule rule-set update
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f180e675260>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/naga/.azure/commands/2026-04-27.15-38-59.network_application-gateway_waf-policy_managed-rule_rule-set_update.794.log'.
az_command_data_logger: command args: network application-gateway waf-policy managed-rule rule-set update --policy-name {} -g {} --type {} --version {} --group-name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f180e6beb60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f180e6bf6a0>, <function register_global_policy_argument..add_global_policy_argument at 0x7f180e6bf7e0>, <function register_cache_arguments..add_cache_arguments at 0x7f180e6bf880>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x7f180e6bf920>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f180e8e7ec0>, <function CLIQuery.handle_query_parameter at 0x7f180e929300>, <function register_ids_argument..parse_ids_arguments at 0x7f180e6bf740>]
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 665, in execute
self._validation(expanded_arg)
File "/usr/lib64/az/lib/python3.12/site-packages/knack/invocation.py", line 111, in _validation
self._validate_cmd_level(parsed_ns, cmd_validator)
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 1001, in _validate_cmd_level
cmd_validator(**self._build_kwargs(cmd_validator, ns))
File "/usr/lib64/az/lib/python3.12/site-packages/azure/cli/command_modules/network/_validators.py", line 975, in process_appgw_waf_policy_update
raise CLIError('--rules and --rule-group-name must be provided at the same time')
knack.util.CLIError: --rules and --rule-group-name must be provided at the same time
cli.azure.cli.core.azclierror: --rules and --rule-group-name must be provided at the same time
az_command_data_logger: --rules and --rule-group-name must be provided at the same time
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f180e6754e0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 0.776 seconds (init: 0.070, invoke: 0.706)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4255 in cache file under /home/naga/.azure/telemetry/20260427153900207
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.12 /usr/lib/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/naga/.azure /home/naga/.azure/telemetry/20260427153900207"
telemetry.process: Return from creating process 805
telemetry.main: Finish creating telemetry upload process.
Expected behavior
No need to specify ruleId also . Basically ruleId should NOT be a mandatory option as exposed in the public doc https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/waf-policy/managed-rule/rule-set?view=azure-cli-latest
Environment Summary
PS /home/naga> az --version
azure-cli 2.85.0
core 2.85.0
telemetry 1.1.0
Extensions:
ml 2.42.0
ssh 2.0.6
Dependencies:
msal 1.35.1
azure-mgmt-resource 24.0.0
Python location '/usr/bin/python3.12'
Config directory '/home/naga/.azure'
Extensions directory '/home/naga/.azure/cliextensions'
Extensions system directory '/usr/lib/python3.12/site-packages/azure-cli-extensions'
Python (Linux) 3.12.9 (main, Mar 26 2026, 23:21:55) [GCC 13.2.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
PS /home/naga>
Additional context
No response