What it is
An Azure Firewall Policy, a full set of network, application, and NAT rule collections, that is not attached to any Azure Firewall and has no child policies inheriting from it. Every rule inside it is dead configuration.
Why it happens
Firewall Policies are decoupled from firewalls by design so they can be authored, versioned, and reused. That same decoupling lets them outlive their purpose: a firewall is rebuilt against a new policy, a parent-child hierarchy is flattened, or a policy is drafted for a deployment that never ships. Azure exposes read-only back-references (properties.firewalls and properties.childPolicies), and an orphan is one where both are empty, meaning nothing enforces its rules and nothing inherits them.
The trap is that an orphaned policy looks exactly as complete and authoritative as a live one. It has the same carefully written rule collections, the same threat-intel settings, the same DNAT rules. Someone auditing the environment can mistake it for the policy in force, or edit it believing a change will take effect, when in reality it is enforcing nothing anywhere.
What it costs / blast radius
A standalone Firewall Policy has no meter of its own, so this is not a cost problem. The harm is a governance and security-hygiene one: a detailed, convincing ruleset that enforces nothing invites exactly the wrong conclusion during a review, and can absorb edits that quietly go nowhere. Dead security configuration is worse than none, because it looks like protection. (Authored assessment of Azure behavior.)
See it
Resources
| where type =~ 'microsoft.network/firewallpolicies'
| where array_length(properties.firewalls) == 0
and array_length(properties.childPolicies) == 0
| project name, resourceGroup, subscriptionId, location,
sku = tostring(properties.sku.tier)// Confirm no firewall should reference it, then remove the orphan.
az network firewall policy delete \
--name legacy-egress-policy \
--resource-group rg-networkHow StratoLens helps
StratoLens flags Firewall Policies that no firewall uses and no child policy inherits automatically and continuously across every subscription in your tenant, so a dead ruleset cannot be mistaken for the one that is actually protecting traffic. You see which policies are enforced and which are just detailed drafts nobody wired up.