Azure Policy: check subscription role assignments

Tobias Petter 1 Reputation point

Hi everyone

We have different types of users in our Azure AD. Only a certain subset of them are allowed to administer Azure resources. Those all start with "ACO" or "ACA".

We now wish to create an Azure Policy that checks whether only such users have been assigned any roles on subscription level. Any account without "ACO" or "ACA" at the start of their name should trigger an audit.

To write such a policy, I checked the available aliases in Microsoft.Authorization. Unfortunately, one can only query "Principal ID" and "Principal Type", but not "Principal Name" - which is the field I would need.

Is there any other way to write a policy that achieves what I wish to do?



Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,651 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
394 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
553 questions
{count} votes