Share via

Disallowing users to modify the Network Security Group, Firewall and VNET settings in my Azure Subscriptions?

EnterpriseArchitect 5,406 Reputation points
2024-07-25T13:42:50.6566667+00:00

I wanted to restrict the ability for the users to add and modify the NSG rule for all users, except the member of the Azure cloud-only group called "Network-Team".

This policy must be enforced for all Network settings like NSG, VNET or firewall rules to prevent users from adding their home public IP address to access Azure Databases.

How can I configure and where to start in the Azure portal?

Thanks in advance.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,506 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
916 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,411 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,094 questions
Accepted answer
  1. Prashant Kumar 780 Reputation points Microsoft Employee
    2024-07-26T07:58:56.9066667+00:00

    Hi ,

    Unfortunately, Azure policy cannot be used for this requirement.

    Azure Policy and RBAC are two different things, and they work differently.

    Azure policy when applied on any scope, it will work the same for all the users with whatever permissions/role user has. It does not differentiate based on the role and does not allow any exception for any set of users/groups.

    For e.g. if you apply a policy to deny users from creating a resource or modify any resource property value, then the policy will block the create/update request for all the users. whether they are Owner, Contributor, or any other.

    Azure policy does not allow any exception based on the user's role or permissions.

    Reference Article: https://techcommunity.microsoft.com/t5/itops-talk-blog/governance-101-the-difference-between-rbac-and-policies/ba-p/1015556

    You can limit access to the users by only assigning them the required minimum RBAC built-in or custom role. so that only a set of allowed users can manage that resource.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 12,011 Reputation points
    2024-07-25T20:21:16.25+00:00

    Hello EnterpriseArchitect,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you would like to restrict users from modifying Network Security Group (NSG) rules, Virtual Network (VNET), or firewall rules in Azure, and to ensure only members of the "Network-Team" group can make these changes.

    Solution

    To restrict users from modifying Network Security Group (NSG) rules, Virtual Network (VNET), or firewall rules in Azure, and to ensure only members of the "Network-Team" group can make these changes, you can implement Role-Based Access Control (RBAC) and Azure Policy.

    1. Firstly, you will need to create the "Network-Team" Group in Azure AD if you have not. To do this: in Azure Portal > Azure Active Directory > Groups > New Group. Create a group named "Network-Team" and add the appropriate members.
    2. Assign Roles to "Network-Team" Group from Azure Portal > Subscriptions > Select your subscription > Access control (IAM). Then, add role assignment such as:
      1. Role: Network Contributor (or a custom role with the necessary permissions)
      2. Assign Access to: Azure AD user, group, or service principal
      3. Select: "Network-Team" group. This role will allow members of the "Network-Team" to manage NSGs, VNETs, and firewall rules.
    3. Ensure that no other users or groups have roles like "Network Contributor" or similar permissions at the subscription, resource group, or resource level, except where necessary.
    4. Now at this point, you will need to enforce the policy and prevent users, you can use Azure Policy to control network configurations.
      1. Azure Portal > Policy > Definitions > + Policy Definition.
        1. Select your subscription or management group.
        2. Name: Restrict Network Modifications.
        3. Policy to restrict modifications to network resources by unauthorized users.
        4. Category: Networking.
        5. Policy Rule: Use JSON policy definitions to restrict modifications to network resources like NSGs, VNETs, and firewall rules. 
                   {
                    "if": {
                      "allOf": [
                        {
                          "field": "type",
                          "equals": "Microsoft.Network/networkSecurityGroups"
                        },
                        {
                          "not": {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                            "equals": "Internet"
                          }
                        }
                      ]
                    },
                    "then": {
                      "effect": "deny"
                    }
                  }
          Assign the Policy, by select appropriate Scope of your subscription or resource group level. Also, excluded Principals. like adding the "Network-Team" group to exclude them from the policy.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.