Share via

Azure Policy to Lock Subscriptions

Christophe Humbert 126 Reputation points
2022-10-12T08:26:48.057+00:00

Hello

I have created an Azure Policy to lock Subscriptions (donotDelete) and assign it at management Group level, but compliance is failing, and remediation tasks are failing too

"properties": {
"displayName": "TEst",
"policyType": "Custom",
"mode": "All",
"metadata": {
"version": "0.0.1",
"category": "Guardrails",
"createdBy": "f4498504-0463-41f6-a58f-02e9b1b07149",
"createdOn": "2022-10-11T14:46:30.8507062Z",
"updatedBy": "f4498504-0463-41f6-a58f-02e9b1b07149",
"updatedOn": "2022-10-12T07:23:37.7611999Z"
},
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2017-04-01",
"name": "DenyDelete",
"properties": {
"level": "CanNotDelete",
"notes": "Prevents deletion of resource."
}
}
]
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Management/managementGroups/MGGroupTOP/providers/Microsoft.Authorization/policyDefinitions/1c9fbae1-b5db-47b3-951a-f2ee9393290e",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "1c9fbae1-b5db-47b3-951a-f2ee9393290e",
"systemData": {
"createdBy": "xxxx",
"createdByType": "User",
"createdAt": "2022-10-11T14:46:30.8341229Z",
"lastModifiedBy": "xxxxx",
"lastModifiedByType": "User",
"lastModifiedAt": "2022-10-12T07:23:37.7366734Z"
}
}

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,021 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jesse Loudon 336 Reputation points
    2022-11-07T01:13:28.903+00:00

    Hi @Christophe Humbert

    Because the related resource type (lock) within your ARM template can be deployed to multiple scopes, and you are assigning the policy at the management group level, I recommend adding the "scope" property to your ARM template in the policy? e.g. 

    "scope": "[subscription().id]"

    Here's what it looks like within a sample ARM template: 

    {  
  "type": "Microsoft.Authorization/locks",  
  "apiVersion": "2020-05-01",  
  "name": "string",  
  "scope": "string",  
  "properties": {  
    "notes": "string",  
    "owners": [  
      {  
        "applicationId": "string"  
      }  
    ]  
  }  
}

    This should hopefully at least fix the remediation failure assuming the policy assignment managed identity has the required permissions to deploy resource locks to the subscriptions within your management group.

    Related links:

    Hope that helps,
    Jesse

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.