Azure Policy: check subscription role assignments

Tobias Petter 6 Reputation points

Hi everyone

We have different types of users in our Azure AD. Only a certain subset of them are allowed to administer Azure resources. Those all start with "ACO" or "ACA".

We now wish to create an Azure Policy that checks whether only such users have been assigned any roles on subscription level. Any account without "ACO" or "ACA" at the start of their name should trigger an audit.

To write such a policy, I checked the available aliases in Microsoft.Authorization. Unfortunately, one can only query "Principal ID" and "Principal Type", but not "Principal Name" - which is the field I would need.

Is there any other way to write a policy that achieves what I wish to do?



Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
652 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
781 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,309 questions
{count} vote