Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
675 questions
Azure Policy: check subscription role assignments
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Tobias Petter
6
Reputation points
Hi everyone
We have different types of users in our Azure AD. Only a certain subset of them are allowed to administer Azure resources. Those all start with "ACO" or "ACA".
We now wish to create an Azure Policy that checks whether only such users have been assigned any roles on subscription level. Any account without "ACO" or "ACA" at the start of their name should trigger an audit.
To write such a policy, I checked the available aliases in Microsoft.Authorization. Unfortunately, one can only query "Principal ID" and "Principal Type", but not "Principal Name" - which is the field I would need.
Is there any other way to write a policy that achieves what I wish to do?
Thanks,
Tobias
{count} vote
-
JamesTran-MSFT 36,461 Reputation points Microsoft Employee2023-03-20T18:06:02.84+00:00 Thank you for your post and I apologize for the delayed response! My team is currently looking into your issue and will update you as soon as possible.
Sign in to comment