Azure ARM policy to deny role assignments only for resource group owners not for admins and Sub owners

Question

Azure ARM policy to deny role assignments only for resource group owners not for admins and Sub owners

Nazeer Basha 6

I have a requirement where I need to deny only owners of the resource group to do new role assignments or changes to existing role assignments.

Resource group contributors and readers anyways cannot do any role assignments/modifications.

Role assignments/modifications should be done by Subscription level and Management level Owners only and of course by Admins.

I did followed this github article but there is no way to restrict only owners of resource group.

https://github.com/Azure/azure-policy/blob/master/samples/Authorization/allowed-role-definitions/azurepolicy.json

I create below policy but this denies everyone to role assignments/modifications:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Effect of this Azure Policy - Audit, Deny or Disabled"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    }
  }
}

In a nut shell, my requirement is:

Check if user is resource group owner
if Yes - deny "role assignments"
If No - Allow "role assignments" for for Admins and Subscription owners - that is default. All other users will anyways cannot do role assignments (like contributors and readers)

Is there any way in Azure Policies to get the "user scope", like what access level the user has- RG owner or subscription owner or Admin, etc.

Ananya Shrivastava 20

Hi @Stanislav Zhelyazkov ,
i have a question:
{ "mode": "All",

"policyRule": {

"if": {

  "allOf": [

    {

      "field": "type",

      "equals": "Microsoft.Authorization/roleAssignments"

    }

  ]

},

"then": {

  "effect": "[parameters('effect')]"

}
  },

  "parameters": {

"effect": {
  "type": "String",
  "metadata": {
    "displayName": "Effect",
    "description": "Effect of this Azure Policy -Deny
  },
  "allowedValues": [
    "Deny"
  ],
  "defaultValue": "Deny"
}
  }

}  
  
I want to deny anyone who is creating a role assignment on an RG1  
I created the above policy, now my question is what if someone is creating role assignment at parent RG2 or subscription. The role assignment permission will get propagated. I don't want that. I don't want any role assignment on RG1, inherited or direct.

1 answer

Your answer

Ananya Shrivastava 20 Reputation points

2025-03-31T07:23:57.2466667+00:00

Hi @Stanislav Zhelyazkov ,
i have a question:
{ "mode": "All",

"policyRule": {

"if": { "allOf": [ { "field": "type", "equals": "Microsoft.Authorization/roleAssignments" } ] }, "then": { "effect": "[parameters('effect')]" } }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Effect of this Azure Policy -Deny }, "allowedValues": [ "Deny" ], "defaultValue": "Deny" } } } I want to deny anyone who is creating a role assignment on an RG1 I created the above policy, now my question is what if someone is creating role assignment at parent RG2 or subscription. The role assignment permission will get propagated. I don't want that. I don't want any role assignment on RG1, inherited or direct.

Answer 1

Stanislav Zhelyazkov 28,426 MVP Volunteer Moderator

Hi,
I think what you are trying to do is not possible via Azure Policy. It sounds like you want to have another RBAC/IAM mechanism on top of the built-in one by using Azure Policy.
What I wonder why you need because if a user has permissions on the resource group and he does not have permissions that allow role assignments (like built-in roles Owner or User Access Administrator) that user will not be able to do role assignments. By default, even on a higher level if the user is not with permissions like Owner or User Access Administrator, he/she will not be able to do role assignments. This means that what you are trying to achieve is already available via Azure RBAC/IAM and you do not need to do anything special besides giving the correct roles/permissions to the user who should do those actions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-05-26T17:29:54.11+00:00

@Nazeer Basha
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
Nazeer Basha 6 Reputation points

2022-05-30T08:30:05.06+00:00

Thank you, Stan for the response. As per you, I need to create new RBAC role like "Custom owner" that will not have access to do role assignments on the Resource Group level. I too see that is the only way for now.
But the challenge with this approach is to modify all the existing users from "Owner" access to "Custom Owner" role. Is there any easy way we can upgrade all existing Owners to Custom Owners?

The reason we want to prevent only Resource Group Owners to do any role assignments is we want every one to use our custom UI portal where assignments is done and only Admins and Subscription owners should be allowed to use Azure Portal.
Stanislav Zhelyazkov 28,426 Reputation points MVP Volunteer Moderator

2022-05-30T09:23:52.46+00:00

Hi,
Everything can be automated via automation tools like Az PowerShell module or Az CLI. It is a matter of writing custom script that serves your needs. It is up to you if you want to use custom roles or the built-in roles. For me it is not logical if you didn't want those users to have permissions to assign access to give them built-in Owner role. Contributor basically has the same permissions minus the assigning access. I cannot comment on your custom UI Portal but even if something like this was possible via Azure Policy will affect your custom UI portal as well as Azure Policy sits on top of Azure Resource Manager and applies no matter if you are using Azure Portal, ARM REST API, Az CLI, Az PS, etc.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2022-06-01T16:50:19.683+00:00

@Nazeer Basha
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Azure ARM policy to deny role assignments only for resource group owners not for admins and Sub owners

1 answer

Your answer