What Permission is required for configuring Azure policy

Mahavir Saroj 201 Reputation points
2024-03-27T17:14:07.8733333+00:00

What IAM permission is required for creating Azure policy over the Subscription.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
911 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Marcin Policht 25,290 Reputation points MVP
    2024-03-27T19:05:08.85+00:00

    To configure Azure Policy, you need appropriate permissions within the Azure environment. Typically, the following built-in roles in Azure provide the necessary permissions for configuring Azure Policy:

    1. Owner: Users assigned the Owner role have full access to all resources and can manage policies, including creating, editing, and assigning policies.
    2. Contributor: Users assigned the Contributor role can create and manage all types of Azure resources, including Azure Policy definitions and assignments.
    3. Policy Contributor: This role is specifically designed for managing Azure Policy. Users assigned the Policy Contributor role can create, edit, and assign policies, but they cannot modify other Azure resources.
    4. Management Group Contributor: Users assigned the Management Group Contributor role can manage all aspects of Azure management groups, including assigning Azure Policy at the management group level.
    5. Custom Role: If none of the built-in roles meet your requirements, you can create a custom role with specific permissions tailored to Azure Policy management.

    If you decide to create a custom role, use the following permissions:

    1. Microsoft.Authorization/policyDefinitions/*: This permission allows users to perform all actions (create, read, update, delete) on Azure Policy definitions.
    2. Microsoft.Authorization/policyAssignments/*: This permission allows users to perform all actions (create, read, update, delete) on Azure Policy assignments.
    3. *Microsoft.Authorization/policySetDefinitions/ (optional)**: This permission allows users to manage policy set definitions if you plan to use policy sets.
    4. *Microsoft.Authorization/policyExemptions/ (optional)**: This permission allows users to manage policy exemptions if you want to grant the ability to exempt specific resources from policy enforcement.
    5. Microsoft.Management/managementGroups/write (optional): If you want users to manage policy assignments at the management group level, they need the permission to write to management groups.
    6. Microsoft.Authorization/policyDefinitions/read (optional): If you want users to be able to read existing policy definitions, but not modify them, grant this permission.
    7. Microsoft.Authorization/policyAssignments/read (optional): If you want users to be able to view existing policy assignments without modifying them, grant this permission.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments No comments

  2. Prashant Kumar 780 Reputation points Microsoft Employee
    2024-04-29T07:09:12.04+00:00

    Hi Mahavir,

    For creating Azure Policy at the Subscription scope, you would need Resource Policy Contributor Role as this role gives us rights to do below things which is enough for policy management.

    • Read all the resources
    • Create and manage policy assignments
    • Create and manage policy definitions
    • Create and manage policy exemptions
    • Create and manage policy sets
    • Create and manage a deployment
    • View policy compliance

    But, if you are going to assign policies with Modify or DeployIfNotExists effect, you should also have either User Access Admin or Owner role as well because, these policies use managed identity to remediate the resources and these identities get permission/roles through Role assignment which happens at the time of Policy assignment.

    Only User Access Admin and Owner have the Role Assignment permissions. Since the owner has a very privileged role, User Access Admin Role or Custom Role with Role Assignment permissions and Resource Policy Contributor permissions is recommended.

    If you don't have Role assignment permissions, the policies' managed identity will be created but without the role assignment and the remediations will mail with permission error.

    https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.