What Permission is required for configuring Azure policy

Question

What IAM permission is required for creating Azure policy over the Subscription.

Answer 1

To configure Azure Policy, you need appropriate permissions within the Azure environment. Typically, the following built-in roles in Azure provide the necessary permissions for configuring Azure Policy:

1. Owner: Users assigned the Owner role have full access to all resources and can manage policies, including creating, editing, and assigning policies.
2. Contributor: Users assigned the Contributor role can create and manage all types of Azure resources, including Azure Policy definitions and assignments.
3. Policy Contributor: This role is specifically designed for managing Azure Policy. Users assigned the Policy Contributor role can create, edit, and assign policies, but they cannot modify other Azure resources.
4. Management Group Contributor: Users assigned the Management Group Contributor role can manage all aspects of Azure management groups, including assigning Azure Policy at the management group level.
5. Custom Role: If none of the built-in roles meet your requirements, you can create a custom role with specific permissions tailored to Azure Policy management.

If you decide to create a custom role, use the following permissions:

1. Microsoft.Authorization/policyDefinitions/*: This permission allows users to perform all actions (create, read, update, delete) on Azure Policy definitions.
2. Microsoft.Authorization/policyAssignments/*: This permission allows users to perform all actions (create, read, update, delete) on Azure Policy assignments.
3. *Microsoft.Authorization/policySetDefinitions/ (optional)**: This permission allows users to manage policy set definitions if you plan to use policy sets.
4. *Microsoft.Authorization/policyExemptions/ (optional)**: This permission allows users to manage policy exemptions if you want to grant the ability to exempt specific resources from policy enforcement.
5. Microsoft.Management/managementGroups/write (optional): If you want users to manage policy assignments at the management group level, they need the permission to write to management groups.
6. Microsoft.Authorization/policyDefinitions/read (optional): If you want users to be able to read existing policy definitions, but not modify them, grant this permission.
7. Microsoft.Authorization/policyAssignments/read (optional): If you want users to be able to view existing policy assignments without modifying them, grant this permission.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Hi Mahavir,

For creating Azure Policy at the Subscription scope, you would need Resource Policy Contributor Role as this role gives us rights to do below things which is enough for policy management.

• Read all the resources
• Create and manage policy assignments
• Create and manage policy definitions
• Create and manage policy exemptions
• Create and manage policy sets
• Create and manage a deployment
• View policy compliance

But, if you are going to assign policies with Modify or DeployIfNotExists effect, you should also have either User Access Admin or Owner role as well because, these policies use managed identity to remediate the resources and these identities get permission/roles through Role assignment which happens at the time of Policy assignment.

Only User Access Admin and Owner have the Role Assignment permissions. Since the owner has a very privileged role, User Access Admin Role or Custom Role with Role Assignment permissions and Resource Policy Contributor permissions is recommended.

If you don't have Role assignment permissions, the policies' managed identity will be created but without the role assignment and the remediations will mail with permission error.

https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal