Custom policy for restricting subscription movement

Question

Need to build a policy which will restrict enabled subscriptions to move to one specific management group.

Please suggest on this and Guide. any reference code for the same

Answer 1

@Azuretech Instead of relying on policy for this scenario, Azure's Role Based Access Control (RBAC) should be a better option. While policy is used to conform to compliance, RBAC is more designed to grant/restrict access to resources in Azure.

For such movement of subscription to a Management Group, the following permissions are required for users who attempts to move a subscription to another MG:
Child subscription / management group

• Microsoft.management/managementgroups/write
• Microsoft.management/managementgroups/subscriptions/write (only for Subscriptions)
• Microsoft.Authorization/roleAssignments/write
• Microsoft.Authorization/roleAssignments/delete
• Microsoft.Management/register/action
• Target parent management group
• Microsoft.management/managementgroups/write
• Current parent management group
  • Microsoft.management/managementgroups/write

Therefore, you can review these permissions and allow only specific user (/set of users) who are allowed to perform the move operation.

Using Policy in this scenario might be complex - for example, if you implement policy all the users would not be able to move subscription to this MG, irrespective of the role assigned to them. However, if you would like to implement such a policy, the ARM template available in the following link could be used - Move subscriptions in ARM template. I have not tested it though as I don't have such a test environment.

Hope this helps.