How to exclude a group of users in an azure policy from deny action

Omer Jesus Gonzalez Vizcaino 0

current situation: there is a zure policy with deny action that prohibits the deletion of resource groups and resources.

requirement: create a user group in azure in which every member of that group is excluded from the azure policy deny action

SwathiDhanwada-MSFT 18,771 Reputation points

2024-03-18T04:57:39.2866667+00:00

@Omer Jesus Gonzalez Vizcaino Did you get chance to look into my previous comment ? Let me know if you have further questions.
SwathiDhanwada-MSFT 18,771 Reputation points

2024-03-20T11:28:11.3933333+00:00

@Omer Jesus Gonzalez Vizcaino Hope the information provided is helpful. Kindly revert if you have further questions.

1 answer

SwathiDhanwada-MSFT 18,771 Reputation points

2024-03-15T09:06:27.36+00:00
@Omer Jesus Gonzalez Vizcaino Groups cannot be sent as a parameter in Azure Policy. However, you can use the "If" function in the policy definition to conditionally apply the policy based on the list of users.

Here is snippet of policy code.

{ not: { field: "Microsoft.Authorization/roleAssignments/principalId", in: "[parameters('principalIds')]" } }
Please sign in to rate this answer.
Andy Lau Pik Hui 70 Reputation points

2024-06-12T09:27:53.0266667+00:00

Hi Swathi, I am getting below error, could you please assist to check on this

The 'field' property 'Microsoft.Authorization/roleAssignments[].principalId' of the policy rule does not exist as an alias under provider 'Microsoft.Authorization'. Please see https://github.com/Azure/azure-policy/blob/master/1-contribution-guide/request-alias.md to request new aliases.*
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Your answer