How to exclude a group of users in an azure policy from deny action

Omer Jesus Gonzalez Vizcaino 0 Reputation points
2024-03-13T21:04:25.21+00:00

current situation: there is a zure policy with deny action that prohibits the deletion of resource groups and resources.

requirement: create a user group in azure in which every member of that group is excluded from the azure policy deny action

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
788 questions
{count} votes

1 answer

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 17,321 Reputation points
    2024-03-15T09:06:27.36+00:00

    @Omer Jesus Gonzalez Vizcaino Groups cannot be sent as a parameter in Azure Policy. However, you can use the "If" function in the policy definition to conditionally apply the policy based on the list of users.

    Here is snippet of policy code.

    { 
    	"not": 
    		{ 
    			"field": "Microsoft.Authorization/roleAssignments[*].principalId", 
    			"in": "[parameters('excludedUserEmails')]" 
    		}
     }
    
    0 comments No comments