Automatically add newly created subscriptions to Azure Auromation Managed Identity

Question

In Azure Automation, running task to enable soft delete across all subscription.
For running across subscriptions, I have to add all the subscriptions to the Identity with the permission.
Let's assume if we are creating new subscriptions it should be added automatically to the Identity.
I tried and it's seems like not possible through Azure Automation.
Any suggestions?
I have code to get all the subscriptions and add it to identity but I want to run it scheduled and In Azure environment if possible.

Answer 1

The solution I tend to use is create a Management Group structure in Azure where you assign a role to the managed identity at the management group level and place the subscription in that management group, you will be able to manage the resources within the subscription without having to do a lot of individual role assignments.

See the documentation on Management Groups for details.

Answer 2

HI there,

You can't start managing the subscriptions by using Azure Automation without adding to them be managed by Azure Automation (which requires to have Managed Identity enabled).

You can do this by using powershell, but outside of azure automation account, for example in Azure DevOps pipelines (but it will require to have at least a contributor role as well)
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/howto-assign-access-powershell

Answer 3

What are you enabling Soft Delete for?

The better option may be to implement an Azure policy:

https://www.azadvertizer.net/azpolicyadvertizer_all.html#%7B%22col_9%22%3A%7B%7D%2C%22col_3%22%3A%7B%22flt%22%3A%22soft%20delete%22%7D%7D

And deploy at the Management group level.

Here is a policy for KeyVault: https://github.com/Azure/Community-Policy/blob/787e019dc24562374688c07e38fd062ab841058a/Policies/KeyVault/deploy-soft-delete-and-purge-protection/azurepolicy.json#L3