Azure ARM policy to deny role assignments only for resource group owners not for admins and Sub owners

Nazeer Basha 6 Reputation points
2022-05-20T12:13:45.427+00:00

I have a requirement where I need to deny only owners of the resource group to do new role assignments or changes to existing role assignments.

Resource group contributors and readers anyways cannot do any role assignments/modifications.

Role assignments/modifications should be done by Subscription level and Management level Owners only and of course by Admins.

I did followed this github article but there is no way to restrict only owners of resource group.

https://github.com/Azure/azure-policy/blob/master/samples/Authorization/allowed-role-definitions/azurepolicy.json

I create below policy but this denies everyone to role assignments/modifications:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Effect of this Azure Policy - Audit, Deny or Disabled"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    }
  }
}

In a nut shell, my requirement is:

  1. Check if user is resource group owner
  2. if Yes - deny "role assignments"
  3. If No - Allow "role assignments" for for Admins and Subscription owners - that is default. All other users will anyways cannot do role assignments (like contributors and readers)

Is there any way in Azure Policies to get the "user scope", like what access level the user has- RG owner or subscription owner or Admin, etc.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
976 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,019 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Stanislav Zhelyazkov 28,426 Reputation points MVP Volunteer Moderator
    2022-05-25T12:02:50.187+00:00

    Hi,
    I think what you are trying to do is not possible via Azure Policy. It sounds like you want to have another RBAC/IAM mechanism on top of the built-in one by using Azure Policy.
    What I wonder why you need because if a user has permissions on the resource group and he does not have permissions that allow role assignments (like built-in roles Owner or User Access Administrator) that user will not be able to do role assignments. By default, even on a higher level if the user is not with permissions like Owner or User Access Administrator, he/she will not be able to do role assignments. This means that what you are trying to achieve is already available via Azure RBAC/IAM and you do not need to do anything special besides giving the correct roles/permissions to the user who should do those actions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.