Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-06-17 05:00:00 +0000

pufferfish gravatar image

Yes, it is possible to develop an Azure policy that denies role assignments to specific principal types unless they are authorized by designated users.

Here is an example of a policy definition that accomplishes this:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        },
        {
          "not": {
            "field": "principalType",
            "equals": "ServicePrincipal"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "authorizedUsers": {
      "type": "Array",
      "metadata": {
        "description": "List of authorized users who can assign roles to non-service principals"
      }
    }
  }
}

This policy denies any role assignments where the principal type is not a Service Principal. However, there is a parameter called authorizedUsers that allows for specific users to be authorized to assign roles to non-service principals.

To use this policy, you would need to assign it to a scope (such as a subscription or resource group), and include the list of authorized users as a parameter when you create the policy assignment.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact