Hello @Tanul !
Can you try the following :
One way to do this is to use policy exemptions, which allow you to exclude specific resources or resource groups from policy enforcement. To create a policy exemption, you would need to create a new policy assignment with a higher priority than the policy that you want to bypass, and then configure the policy assignment to exclude the specific resources or resource groups that you want to exempt.
To exclude specific AD users or AD groups from policy enforcement, you can use the "NotIn" condition in your policy rules to exclude the user or group from the policy scope. For example, you could create a policy rule that requires AKS resources to be created in a specific resource group, but exclude a specific AD group from the policy scope:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/ManagedClusters"
},
{
"not": {
"field": "tags['ExcludeFromPolicy']",
"equals": "True"
}
},
{
"not": {
"field": "owner",
"in": "[parameters('ExcludedADGroups')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
Here, the policy rule denies the creation of AKS resources if they are not tagged with "ExcludeFromPolicy" or if the resource owner is not a member of an AD group specified in the "ExcludedADGroups" parameter.
If the Answer is helpful, please click "Accept Answer" and upvote it.
Regards