Restrict Ability to Modify Functions

jamesH 0 Reputation points

We have developers that need to be able to view functions and potentially modify them. However, it's preferred that they do not have the ability to change functions, only view/read them, unless it's a necessity. We have PIM so they could self-elevate privileges for a set amount of time but there are still concerns about accessing data/PII. The contributor role seemed like a potential idea but feels like it gives too much access by default.

In regards to that, we were thinking of having a specific subscription for better access control but are unsure about the best implementation method (PIM/conditional access/custom roles/etc) to ensure function changes are restricted.

Any input would be appreciated.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
3,693 questions
Microsoft Entra
{count} votes

2 answers

Sort by: Most helpful
  1. JananiRamesh-MSFT 15,146 Reputation points

    @jamesH Thanks for reaching out. As you mentioned start by creating a new Azure subscription. This will provide a separate environment where you can manage resources and access control more granely. Then Create a custom role that only has the permissions necessary for developers to view and read functions. This role can be assigned to the developers in the new subscription, ensuring they have the least privilege necessary for their day-to-day work.

    For situations where developers need to modify functions, you can use PIM in the new subscription. You can assign a higher privileged role (like contributor) to the developers in PIM, and they can activate this role when necessary. This activation can be time-bound and could require approval, providing an additional layer of control. Conditional Access adds an extra layer of security by requiring certain conditions to be met before access is granted.

    These services are designed to work together to provide comprehensive access control. Using them in combination allows you to tailor your access control strategy to meet your specific needs.

    let me know incase of further queries, I would be happy to assist you.

  2. AdamZachary 2,851 Reputation points

    Hi James,

    To restrict the ability of developers to modify Azure Functions while allowing them to view or read them, you can implement a combination of custom roles, Privileged Identity Management (PIM), and Conditional Access. Here's a step-by-step approach:

    1- Create a Custom Role: Design a custom role with permissions limited to viewing and reading functions. Assign this role to developers to ensure they have minimal necessary privileges.

    • Log in to the Azure Portal: Access your Azure account.
    • Navigate to Microsoft Entra ID: Go to the Entra ID section for identity and access management.
    • Access Role-Based Access Control (RBAC): Find the RBAC settings in Azure AD or under the Subscription settings.
    • Open the Azure Roles Section: Look for the "Roles and administrators" section or similar, depending on your Azure portal version.
    • Create a New Custom Role: Choose to create a new custom role. This option is typically found within the Azure roles section.
    • Define the Custom Role Permissions: Set the Actions array to include permissions for viewing and reading functions. These are generally in the format of Microsoft.Web/sites/functions/read or similar, depending on the specific Azure resources and your organization's structure. - Ensure to exclude any actions that allow creating, deleting, or modifying functions. These actions typically include verbs like write, delete, set, create, etc., and will be in the format of Microsoft.Web/sites/functns/*.
    • Include any additional read-only permissions that may be necessary for your developers to effectively view and understand the functions, such as viewing logs or related resources.
    • Configure Assignable Scopes: Define the scopes at which this role can be assigned. Typically, this would be the specific subscription or resource group where the Azure Functions are hosted.
    • Finalize and Create the Role: Give the role a descriptive name and description, then create the role.
    • Assign the Role to Users: After the role is created, assign it to the developers who need read/view access to Azure Functions. This assignment can be done through Azure AD or directly in the subscription/resource group where the functions are located.

    2 - Additionally, you can use PIM for Elevated Privileges: For cases where developers need to modify functions, utilize PIM in the subscription. Assign a higher privileged role (like contributor) in PIM, which developers can activate as needed. This activation can be time-bound and may require approval for added control.

    Hope this helps

    0 comments No comments