Can you develop an Azure policy that denies role assignments to specific principal types, unless they are authorized by designated users?

edit

Yes, it is possible to develop an Azure policy that denies role assignments to specific principal types unless they are authorized by designated users.

Here is an example of a policy definition that accomplishes this:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        },
        {
          "not": {
            "field": "principalType",
            "equals": "ServicePrincipal"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "authorizedUsers": {
      "type": "Array",
      "metadata": {
        "description": "List of authorized users who can assign roles to non-service principals"
      }
    }
  }
}

This policy denies any role assignments where the principal type is not a Service Principal. However, there is a parameter called authorizedUsers that allows for specific users to be authorized to assign roles to non-service principals.

To use this policy, you would need to assign it to a scope (such as a subscription or resource group), and include the list of authorized users as a parameter when you create the policy assignment.