Azure Policy: check subscription role assignments
We have different types of users in our Azure AD. Only a certain subset of them are allowed to administer Azure resources. Those all start with "ACO" or "ACA".
We now wish to create an Azure Policy that checks whether only such users have been assigned any roles on subscription level. Any account without "ACO" or "ACA" at the start of their name should trigger an audit.
To write such a policy, I checked the available aliases in Microsoft.Authorization. Unfortunately, one can only query "Principal ID" and "Principal Type", but not "Principal Name" - which is the field I would need.
Is there any other way to write a policy that achieves what I wish to do?
Thank you for your post and I apologize for the delayed response! My team is currently looking into your issue and will update you as soon as possible.
Sign in to comment