Restrict Non-Owners from changing the Collaboration branch of Azure Data Factory using Azure Policy

Praveen Sreeram 1 Reputation point
2023-02-22T05:51:14.7966667+00:00
We would like to impose the following restrictions on Azure Data Factory.






We were able to achieve the #1 feature using the below policy

   {
      "mode": "All",
      "policyRule": {
      "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.DataFactory/factories"
        },
        {
          "field": "name",
          "equals": "adfproject-dev-df1"
        },
        {
          "field": "Microsoft.DataFactory/factories/repoConfiguration.collaborationBranch",
          "notEquals": "develop"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }   
  } ,
  "parameters": {}
}
However, the below rule (within the allOf condition/array) for #2 is not working. any pointers would be of great help.

 "field": "Microsoft.Authorization/roleAssignments/principalRole",
 "notEquals": "Owner"


Thanks, Praveen
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,656 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ShaikMaheer-MSFT 38,551 Reputation points Microsoft Employee Moderator
    2023-02-24T06:51:27.1933333+00:00

    Hi Praveen Sreeram,

    Thank you for posting this question in Microsoft Q&A Platform.

    Usually, best practice is not allow commits in Collaboration branch. And this can achieve from Azure DevOps Branch policies and making it read only.

    Consider following below steps.

    Navigate your project and then to your repo and then to branch. Click on branch policies

    User's image

    **Set the policy as below.User's image

    **

    This will stop commits on collaboration branch. Hope this helps. Please let me know more details if this is not the case with yours.


    Please consider hitting Accept Answer button. Accepted answers help community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.