Yes, it is possible to develop an Azure policy that denies role assignments to specific principal types unless they are authorized by designated users.
Here is an example of a policy definition that accomplishes this:
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"not": {
"field": "principalType",
"equals": "ServicePrincipal"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"authorizedUsers": {
"type": "Array",
"metadata": {
"description": "List of authorized users who can assign roles to non-service principals"
}
}
}
}
This policy denies any role assignments where the principal type is not a Service Principal. However, there is a parameter called authorizedUsers
that allows for specific users to be authorized to assign roles to non-service principals.
To use this policy, you would need to assign it to a scope (such as a subscription or resource group), and include the list of authorized users as a parameter when you create the policy assignment.
Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss
Asked: 2022-09-08 11:00:00 +0000
Seen: 7 times
Last updated: Jun 17 '21
How can Django Admin accommodate a variety of formats and locales for its input fields?
How can an array be passed using typo3 flexform xml and itemsProcConfig?
Is it possible to invoke an asynchronous function without using the await keyword?
How can metadata be linked to a series in Polars?
What is the process of utilizing the map function to map a pandas column using a dictionary?
How can the orientation of images be corrected during uploading using Plupload?