Restrict Non-Owners from changing the Collaboration branch of Azure Data Factory using Azure Policy

Question

Restrict Non-Owners from changing the Collaboration branch of Azure Data Factory using Azure Policy

Praveen Sreeram 1

We would like to impose the following restrictions on Azure Data Factory.






We were able to achieve the #1 feature using the below policy

   {
      "mode": "All",
      "policyRule": {
      "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.DataFactory/factories"
        },
        {
          "field": "name",
          "equals": "adfproject-dev-df1"
        },
        {
          "field": "Microsoft.DataFactory/factories/repoConfiguration.collaborationBranch",
          "notEquals": "develop"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }   
  } ,
  "parameters": {}
}
However, the below rule (within the allOf condition/array) for #2 is not working. any pointers would be of great help.

 "field": "Microsoft.Authorization/roleAssignments/principalRole",
 "notEquals": "Owner"


Thanks, Praveen

PRADEEPCHEEKATLA 90,661 Reputation points Moderator

2023-02-28T06:47:18.6466667+00:00

@Praveen Sreeram We received your feedback that the answer provided on the thread was not helpful.

Kindly let us know what we could have done better to improve the answer and make your engagement experience good. We are here to help you and strive to make your experience better and greatly value your feedback.

Our engineer has provided a detailed answer for which you are looking for.

If you wish, you may re-surveying/rating for the engagement you received on the thread. Your feedback is very important to us.

Looking forward to you reply. Much appreciate your feedback!

Regards,

PRADEEPCHEEKATLA-MSFT

1 answer

Your answer

PRADEEPCHEEKATLA 90,661 Reputation points Moderator

2023-02-28T06:47:18.6466667+00:00

@Praveen Sreeram We received your feedback that the answer provided on the thread was not helpful.

Kindly let us know what we could have done better to improve the answer and make your engagement experience good. We are here to help you and strive to make your experience better and greatly value your feedback.

Our engineer has provided a detailed answer for which you are looking for.

If you wish, you may re-surveying/rating for the engagement you received on the thread. Your feedback is very important to us.

Looking forward to you reply. Much appreciate your feedback!

Regards,

PRADEEPCHEEKATLA-MSFT

Answer 1

ShaikMaheer-MSFT 38,551 Microsoft Employee Moderator

Hi Praveen Sreeram,

Thank you for posting this question in Microsoft Q&A Platform.

Usually, best practice is not allow commits in Collaboration branch. And this can achieve from Azure DevOps Branch policies and making it read only.

Consider following below steps.

Navigate your project and then to your repo and then to branch. Click on branch policies

User's image

**Set the policy as below. User's image

**

This will stop commits on collaboration branch. Hope this helps. Please let me know more details if this is not the case with yours.

Please consider hitting Accept Answer button. Accepted answers help community as well.

Praveen Sreeram 1 Reputation point

2023-02-24T07:27:26.4733333+00:00

Hi Maheer,

Part (few bullet points) of my question is somehow trimmed automatically even after updating multiple times.

Let me elaborate here. We have a ADF resource which is being used by multiple teams with 500+ developers who are part of Azure Custom Role.

The "develop" branch is the collaboration branch set will proper policies. Developer work on feature branch and raise PR to develop branch.

The problem is that some of the developers are changing the collaboration branch from develop to something else :-(

So, we would like to restrict that using Azure Policies. We were able to achieve this using the Azure policy specified in my original question.

Now, the administrators (whose role is Contributor on ADF service) should be able to change the collaboration branch if required. we are not able to configure this rule in the Azure Policy to achieve this functionality. I have provided the same in my original question.

Could you please let me know if it's feasible to achieve that?

Hope it's clear now.

FYI, Bullet points are not visible after submitting the question. I have posted the same question in Stackoverflow

https://stackoverflow.com/questions/75515933/restrict-non-owners-from-changing-the-collaboration-branch-of-azure-data-factory

Thanks,

Praveen Sreeram

https://praveenkumarsreeram.com
ShaikMaheer-MSFT 38,551 Reputation points Microsoft Employee Moderator

2023-02-24T08:17:28.45+00:00

Hi Praveen Sreeram, Thanks for providing more clarity on ask now.

Instead of having all users in one customer role and then apply policy on them, I feel you can consider creating another custom role in which you can add users who are allowed to change collaboration branch. And don't have Azure policy on the role.

That way this new custom role users are free to change collaboration branch as well.

Hope this helps. Please let me know if any further queries.

Please consider hitting Accept Answer button and Press Yes for the Was answer helpful? survey question. Accepted answers help community as well.
ShaikMaheer-MSFT 38,551 Reputation points Microsoft Employee Moderator

2023-02-27T06:15:01.76+00:00

Hi Praveen Sreeram, Just checking if above helps? If yes, Please consider hitting Accept Answer button and also consider hitting yes for Was answer helpful? question. Please feel free to share if any other workarounds you found. That helps community as well. Thank you.

Share via

Restrict Non-Owners from changing the Collaboration branch of Azure Data Factory using Azure Policy

1 answer

Your answer