A new effect is available on the Azure Policy, this is the deryaction, as its name suggests it allows you to do a Deny when you try to do an action. But the subtlety is that if the action is made via parent resource, of the type deletion of a resourcegroup, you can authorize it.

What can it be for, you tell me?

Well me the interest that I see is above all the nested resources like the iprules of the PostgreSql bases, or Keyvault, but also diagnostics on your resources:

Here is an example of Policy for the diagnostic part:

{
  "if": {
    "field": "type",
    "equals": "Microsoft.Insights/diagnosticSettings"
  },
  "then": {
    "effect": "denyAction",
    "details": {
      "actionNames": ["delete"]
    }
  }
}