To configure Azure Policy, you need appropriate permissions within the Azure environment. Typically, the following built-in roles in Azure provide the necessary permissions for configuring Azure Policy:
- Owner: Users assigned the Owner role have full access to all resources and can manage policies, including creating, editing, and assigning policies.
- Contributor: Users assigned the Contributor role can create and manage all types of Azure resources, including Azure Policy definitions and assignments.
- Policy Contributor: This role is specifically designed for managing Azure Policy. Users assigned the Policy Contributor role can create, edit, and assign policies, but they cannot modify other Azure resources.
- Management Group Contributor: Users assigned the Management Group Contributor role can manage all aspects of Azure management groups, including assigning Azure Policy at the management group level.
- Custom Role: If none of the built-in roles meet your requirements, you can create a custom role with specific permissions tailored to Azure Policy management.
If you decide to create a custom role, use the following permissions:
- Microsoft.Authorization/policyDefinitions/*: This permission allows users to perform all actions (create, read, update, delete) on Azure Policy definitions.
- Microsoft.Authorization/policyAssignments/*: This permission allows users to perform all actions (create, read, update, delete) on Azure Policy assignments.
- *Microsoft.Authorization/policySetDefinitions/ (optional)**: This permission allows users to manage policy set definitions if you plan to use policy sets.
- *Microsoft.Authorization/policyExemptions/ (optional)**: This permission allows users to manage policy exemptions if you want to grant the ability to exempt specific resources from policy enforcement.
- Microsoft.Management/managementGroups/write (optional): If you want users to manage policy assignments at the management group level, they need the permission to write to management groups.
- Microsoft.Authorization/policyDefinitions/read (optional): If you want users to be able to read existing policy definitions, but not modify them, grant this permission.
- Microsoft.Authorization/policyAssignments/read (optional): If you want users to be able to view existing policy assignments without modifying them, grant this permission.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin