Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
How to prevent user from deploying Bicep file to Azure via CLI?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 64%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Architekt
70
Reputation points
I created a Bicep file that I intended to use only by myself or someone with say the right privileges that I explicitly granted. I login via the CLI: az login, choose my account, and deploy my script, in this case, via the command:
az deployment tenant create --name "redacted" --location eastus --template-file main.bicep --parameters main.parameters.json
Obviously, that works as I'm the global admin and gave myself Owner permission over the root tenant /.
However, I wanted to test out whether or not a "normal" user could do the same thing. The goal is to prevent say an employee or whatever person without the right permissions from being able to also deploy said file.
So, I logged out, then did an "az login" with my test user account that I created in MS365 for business (which creates a user account in Azure AD). When I chose the test account to login with, the response was "No subscriptions found for..." which makes sense. HOWEVER, to my dismay, I found I was able to actually execute the above deployment command. I verified that it deployed and succeeded via my admin account.
So how would I go about preventing certain users from being able to deploy in certain situations? Like in this case, I don't want them to be able to deploy, but maybe down the line they'll have a personal project that they should be able to deploy with? If I view the user in Azure AD, it doesn't show any assigned roles (which is good).
I currently am using Management Groups (in fact that's what the above file deploys is a base set of them) and use role access to limit what groups of users have what permissions to which MG and this test user is not part of any of them.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SwathiDhanwada-MSFT 17,401 Reputation points2023-03-02T08:49:48.56+00:00 @Architekt Welcome to Microsoft Q&A Platform and thanks for your query. I assume that you are storing your bicep file in Azure Cloud Shell which in turn stores in linked storage account. Unless any user who has access to linked storage account mounts it in Azure Cloud Shell environment and executes the command, user will not be able to access the file you have created.
Regarding the test account you have created, we need to do in-depth analysis of how test account has permissions to create or deploy the resources even though no permissions are provided. I would request you to send email to AzCommunity@microsoft.com with Subject as "Attn : Swathi" and details of your subscription Id and this thread link to further troubleshoot the issue.
-
Architekt 70 Reputation points
2023-03-02T15:41:16.6433333+00:00 I managed to figure out the test account: I think I must have accidentally logged in as my admin user by mistake. Because I just repeated the test and it worked as expected: the test user was rejected from deploying.
I don't currently have my bicep files in Azure Cloud Shell, I'm just starting to experiment with my deployment files. It sounds like ACS is the way to go then so that answers my question. Thanks!
Sign in to comment