1 | initial version |
Yes, it is possible to develop an Azure policy that denies role assignments to specific principal types unless they are authorized by designated users.
Here is an example of a policy definition that accomplishes this:
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"not": {
"field": "principalType",
"equals": "ServicePrincipal"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"authorizedUsers": {
"type": "Array",
"metadata": {
"description": "List of authorized users who can assign roles to non-service principals"
}
}
}
}
This policy denies any role assignments where the principal type is not a Service Principal. However, there is a parameter called authorizedUsers
that allows for specific users to be authorized to assign roles to non-service principals.
To use this policy, you would need to assign it to a scope (such as a subscription or resource group), and include the list of authorized users as a parameter when you create the policy assignment.