Allow permanent eligible assignment automation

Question

Allow permanent eligible assignment automation

Jomon Varghese 0

How to configure Allow permanent eligible assignment to Yes via Azure policy?

To be applied at resource group level for contributor role

Do we have a resource provider to use?

Any sample Json code with IF statement?

1 answer

Your answer

Answer 1

Konstantinos Passadis 19,586 MVP

Hello @Jomon Varghese

Can you try this JSON

This policy definition uses an IF statement to check whether the value of the "allowPermanentEligibleAssignment" parameter is set to "Yes". If it is, the policy will modify the role assignment to enable "Allow permanent eligible assignment" for the Contributor role in the specified resource group.

To apply this policy definition at the resource group level for the Contributor role, you can assign the policy to the resource group with the desired value for the "allowPermanentEligibleAssignment" parameter

{
    "properties": {
        "displayName": "Allow permanent eligible assignment",
        "policyType": "BuiltIn",
        "mode": "All",
        "description": "This policy enables Allow permanent eligible assignment for the Contributor role in a resource group.",
        "metadata": {
            "category": "Access Control"
        },
        "parameters": {},
        "policyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Authorization/roleAssignments"
                    },
                    {
                        "field": "Microsoft.Authorization/roleAssignments/memberType",
                        "equals": "User"
                    },
                    {
                        "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
                        "equals": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
                    ],
                    "modifiableOnlyByAssignedIdentity": false,
                    "assignableScopes": [
                        "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name)]"
                    ],
                    "condition": {
                        "allOf": [
                            {
                                "field": "Microsoft.Authorization/roleAssignments/elidable",
                                "equals": true
                            },
                            {
                                "field": "Microsoft.Authorization/roleAssignments/condition",
                                "equals": "[if(equals(parameters('allowPermanentEligibleAssignment'), 'Yes'), 'true', 'false')]"
                            }
                        ]
                    }
                }
            }
        }
    }
}

Kindly mark the answer as Accepted if it helped you !

Thanks !

Jomon Varghese 0 Reputation points

2023-04-01T09:10:45.83+00:00

Thanks for the quick reply, but a query if its already set as yes, it means its enabled right? So why trigger an effect to Modify, it should just not do anything?

Also i see a line as roleAssignments/elidable.

Hope its eligible?
Konstantinos Passadis 19,586 Reputation points MVP

2023-04-01T09:16:38.5233333+00:00

Yes you are right it is eligible ! Sorry

In the JSON policy definition, the "modify" effect is used to change the role assignment only if the value of "AllowPermanentEligibleAssignment" is "No". If the value is already "Yes", then the policy will not modify the role assignment.

Hope that helped !
Jomon Varghese 0 Reputation points

2023-04-01T09:28:19.74+00:00

Thanks I will try this and let you know. Again a huge Thanks for the support
Konstantinos Passadis 19,586 Reputation points MVP

2023-04-01T09:36:07.8066667+00:00

I hope you get the result !

In case you do , kidly mark the answer as Accepted! If you don't , we can continue to look up the issue !

Have a great day !
Jomon Varghese 0 Reputation points

2023-04-01T09:42:51.2666667+00:00
Regarding the effect are you referring to below line as condition but i see this as yes, does it mean effect if this value is yes/no. Apologies if this is a naive question I am just trying to understand the logic

equals": "[if(equals(parameters('allowPermanentEligibleAssignment'), 'Yes'), 'true', 'false')]" }
Konstantinos Passadis 19,586 Reputation points MVP

2023-04-01T09:44:54.8533333+00:00

Hello @Jomon Varghese

In the condition object, the line you mentioned checks the value of the "allowPermanentEligibleAssignment" parameter, and returns "true" if the value is "Yes", and "false" otherwise. This condition is used to ensure that the policy effect is only applied to role assignments where the "Allow permanent eligible assignment" feature is not already enabled.

Hope this helps !

Also there are no naive Qs....everyone here is trying to help each other so every question is welcome and treated with respect!
Jomon Varghese 0 Reputation points

2023-04-01T14:23:36.28+00:00

Hi, Can I use Audit or AuditIfNotExists or DeployIfNotExists in the same code? or Do i need to add some codes?

Also if I need to combine with "Allow permanent Active assignments" what must I change?
Konstantinos Passadis 19,586 Reputation points MVP

2023-04-01T15:12:59.1266667+00:00

Yes, you can use the Audit, AuditIfNotExists, and DeployIfNotExists effects in the same policy definition code.

The Audit effect will report on the compliance of the resources with the policy, while the AuditIfNotExists effect will report on the compliance of the resources with the policy and also create the resource if it does not already exist. The DeployIfNotExists effect will create the resource if it does not exist and report on the compliance of the resource with the policy.

To combine the "Allow permanent eligible assignment" policy with the Audit, AuditIfNotExists, or DeployIfNotExists effect, you can add the "resource" object for the role assignment to the policy definition, and set the "effect" property to the desired effect (e.g. Audit, AuditIfNotExists, or DeployIfNotExists).

Kindly mark the answer as accepted in case it helped you with your issue!

BR
Jomon Varghese 0 Reputation points

2023-04-01T15:25:34.67+00:00

Thanks,

The Combine query was for "Allow permanent Active assignments" & "Allow permanent Eligible assignments" together in one code.

It will first Audit and if its not there it will set both the Eligible & Active assignment to Yes

Konstantinos Passadis 19,586 MVP

Hello

Look at this

{
    "mode": "Indexed",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Authorization/roleAssignments"
                },
                {
                    "not": {
                        "allOf": [
                            {
                                "field": "Microsoft.Authorization/roleAssignments/allowPermanentActiveAssignment",
                                "equals": "Yes"
                            },
                            {
                                "field": "Microsoft.Authorization/roleAssignments/allowPermanentEligibleAssignment",
                                "equals": "Yes"
                            }
                        ]
                    }
                }
            ]
        },
        "then": {
            "effect": "AuditIfNotExists",
            "details": {
                "type": "Microsoft.Authorization/roleAssignments",
                "existenceCondition": {
                    "allOf": [
                        {
                            "field": "Microsoft.Authorization/roleAssignments/allowPermanentActiveAssignment",
                            "equals": "Yes"
                        },
                        {
                            "field": "Microsoft.Authorization/roleAssignments/allowPermanentEligibleAssignment",
                            "equals": "Yes"
                        }
                    ]
                },
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000"
                ],
                "deploymentScope": "Subscription"
            }
        }
    },
    "parameters": {}
}

It combines "Allow permanent Active assignments" and "Allow permanent Eligible assignments"

This policy definition code will audit the compliance of all role assignments in the subscription to ensure that both "Allow permanent Active assignments" and "Allow permanent Eligible assignments" are set to "Yes". If either of these properties is not set to "Yes", the policy will create the role assignment with both properties set to "Yes" and report the compliance status.

Note that you can modify the "effect" property to "DeployIfNotExists" if you want the policy to automatically create the role assignment if it does not exist. You can also modify the "deploymentScope" property to specify a different scope, such as a resource group, if you want the policy to apply to a specific scope.

Kindly mark the answer as accepted in case it helped you with your issue!

BR

Jomon Varghese 0 Reputation points

2023-04-01T16:01:46.9166667+00:00

Thanks, I think this will work. So now I just need to update the contributor role as role defination 'b24988ac-6180-42a0-ab88-20f7382dd24c'

And the scope for me will be resource group, So I will update it as "Resource group" or it can also inherit it from Policy assignment scope?
Konstantinos Passadis 19,586 Reputation points MVP

2023-04-01T21:46:09.9+00:00

Hello @Jomon Varghese

As you can see in my previous answer " You can also modify the "deploymentScope" property to specify a different scope, such as a resource group, if you want the policy to apply to a specific scope."

Also "If you set the scope to a management group, the policy will apply to all subscriptions and resources under that management group. Similarly, if you set the scope to a subscription, the policy will apply to all resource groups and resources under that subscription."

And 'If you want the policy to apply to specific resource groups or resources, you can set the scope to the appropriate resource group or resource. In this case, the policy will only apply to the specified resources and their child resources. If you set the "mode" property to "All", the policy will apply to all child resources under the specified scope.

Keep in mind that the inheritance behavior of policies can be complex, and it's important to understand how policies are inherited and evaluated before applying policies to your resources. You can find more information about policy inheritance in the Azure documentation."

So it is really up to your liking and needs how to deploy-enforce!

I am glad you have a path to work on !

Kindly mark the answer as Accepted so others can refer to this post if they have a similar case!

BR
Jomon Varghese 0 Reputation points

2023-04-03T13:43:03.0933333+00:00

Hi, I am getting this error

The definition is invalid, The field type allowPermanentActiveAssignment doesnt exist as an alias under Microsoft.Authorization and resource type roleAssignments
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-05-08T04:08:26.25+00:00

Hello, do you still need help with this?

Share via

Allow permanent eligible assignment automation

1 answer

Your answer