How can I create a custom Azure policy to restrict end users from manually creating resources in resource groups and prevent unauthorized peerings with existing VNets, while also allowing the creation of resources through GitHub action automation or through the Automation account in Azure? I've already created a policy to restrict manual resource creation, but I'm struggling to find out how to give an exception for the automation account to allow it to create resources. Can anyone help me out with this?

Hi, Yes you can achieve this by create a custom Azure policy Exemption Policy (for Automation Account): { "properties": { "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/YourPolicyAssignmentName", "policyDefinitionReferenceIds": [ "yourPolicyDefinitionId" ], "exemptionCategory": "Waiver", "resourceSelectors": [ { "name": "AutomationAccountResourceCreationExemption", "selectors": [ { "kind": "resourceType", "matches": [ "Microsoft.Automation/automationAccounts" ] } ] } ] }, "systemData": { }, "id": "/subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyExemptions/AutomationAccountCreationExemption", "type": "Microsoft.Authorization/policyExemptions", "name": "AutomationAccountCreationExemption" } This policy allows resources with a "CreatedBy" tag set to "AutomationAccount" to bypass the default denial. "policyAssignmentId" : Replace this with the ID of your policy assignment where the policy is applied. "policyDefinitionReferenceIds" : Replace this with the ID of your policy definition. "resourceSelectors" : This section specifies the resources to which the exemption applies. In this case, it targets resources of type Microsoft.Automation/automationAccounts , which corresponds to Azure Automation accounts. Make sure to replace placeholders such as {subId} , {resourceGroupName} , YourPolicyAssignmentName , and yourPolicyDefinitionId with your actual values. Please find ref doc --> https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure Kindly accept answer if it helps , Thanks!

How can I create a custom Azure policy to prevent/deny manual resource creation in resource groups while allowing automated creation through GitHub Actions or Azure Automation?

Accepted answer

Deepanshu katara 4,905 Reputation points

2024-04-01T07:40:47.8266667+00:00
Hi, Yes you can achieve this by create a custom Azure policy

Exemption Policy (for Automation Account):

{ "properties": { "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/YourPolicyAssignmentName", "policyDefinitionReferenceIds": [ "yourPolicyDefinitionId" ], "exemptionCategory": "Waiver", "resourceSelectors": [ { "name": "AutomationAccountResourceCreationExemption", "selectors": [ { "kind": "resourceType", "matches": [ "Microsoft.Automation/automationAccounts" ] } ] } ] }, "systemData": { }, "id": "/subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyExemptions/AutomationAccountCreationExemption", "type": "Microsoft.Authorization/policyExemptions", "name": "AutomationAccountCreationExemption" }

This policy allows resources with a "CreatedBy" tag set to "AutomationAccount" to bypass the default denial.

"policyAssignmentId": Replace this with the ID of your policy assignment where the policy is applied.

"policyDefinitionReferenceIds": Replace this with the ID of your policy definition.

"resourceSelectors": This section specifies the resources to which the exemption applies. In this case, it targets resources of type Microsoft.Automation/automationAccounts, which corresponds to Azure Automation accounts.

Make sure to replace placeholders such as {subId}, {resourceGroupName}, YourPolicyAssignmentName, and yourPolicyDefinitionId with your actual values.

Please find ref doc --> https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure

Kindly accept answer if it helps , Thanks!
Please sign in to rate this answer.
Priyanka Varma 60 Reputation points

2024-04-01T09:27:33.2333333+00:00

Thank you so much for your response but it seems like we're using Azure AD app registrations (service principals) for automation instead of Azure Automation Accounts. Can we look into getting the custom policy for handling automation exceptions from the above mention? Any help with this would be much appreciated.

Thanks!

Deepanshu katara 4,905 Reputation points

2024-04-01T10:13:33.2733333+00:00

Yes ,

please refer below for spn's

{ "properties": { "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/YourPolicyAssignmentName", "policyDefinitionReferenceIds": [ "yourPolicyDefinitionId" ], "exemptionCategory": "Waiver", "resourceSelectors": [ { "name": "AppRegistrationAutomationExemption", "selectors": [ { "kind": "principalType", "matches": [ "Application" ] }, { "kind": "principalName", "equals": "YourAppRegistrationName" } ] } ] }, "systemData": { }, "id": "/subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyExemptions/AppRegistrationAutomationExemption", "type": "Microsoft.Authorization/policyExemptions", "name": "AppRegistrationAutomationExemption" }

Deepanshu katara 4,905 Reputation points

2024-04-02T11:13:00.6+00:00

Can you please update , if it worked , please accept answer , Thanks!

Priyanka Varma 0 Reputation points

2024-04-08T12:36:48.0133333+00:00

This exemption policy is not working for me, could you please provide the complete policy rule. That would be really helpful for me.
Is it really possible to do the exemption to particular spn's account?
I have tried various ways, but none was really working.

Deepanshu katara 4,905 Reputation points

2024-04-08T16:58:35.68+00:00

Hi , please try something like this , navigate to Azure policy , click on build definition and then add some policy rule like this and then Assign to a scope like RG or subscription and then validate it by creating resources through SPN

"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.resource/deployments" }, { "field": "identity.type", "like": "servicePrincipal" } ] }, "then": { "effect": "deny" } },

Kindly check and let us know please

Priyanka Varma 60 Reputation points

2024-04-08T17:28:48.49+00:00

Thank you so much for the response but this code is not working as expected, this code is allowing manual creation also. But I need a policy that ensure deployment can be done only through service principles. Is there any way to do this.

Priyanka Varma 60 Reputation points

2024-04-08T17:29:55.9933333+00:00

Please help me out with this!!!

Deepanshu katara 4,905 Reputation points

2024-04-09T05:31:21.9833333+00:00

Hi Priyanka, please try with below once and let us know, Thanks!

"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.resources/deployments" }, { "not": { "field": "identity.type", "equals": "ServicePrincipal" } } ] }, "then": { "effect": "deny" } }, "parameters": {} }

Priyanka Varma 60 Reputation points

2024-04-09T06:18:32.0066667+00:00

Thank you for your response, but the given policy is also not working as it should.
Its not really denying any actions, and allowing both the creation of resources from spn & manual creation of the resources from portal as well

Deepanshu katara 4,905 Reputation points

2024-04-09T06:36:35.8833333+00:00

Hi priyanka, can you please join here will guide you through https://meet.google.com/kpg-jjbh-izr

Deepanshu katara 4,905 Reputation points

2024-04-09T06:55:47.9166667+00:00

As discussed in call, In my previous response , I just given the field , Microsoft. Resource/deployment you can change it to the type of resources type you do not want to let create manually

for example- I did for Key vaults and then It denied me for creating resources please check below image for ref.

So you please kindly check once at you end and update

Priyanka Varma 60 Reputation points

2024-04-09T07:47:08.31+00:00

"policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.compute/VirtualMachine" }, { "not": { "field": "identity.type", "equals": "ServicePrincipal" } } ] }, "then": { "effect": "deny" } },

I have assigned this policy and tried to create a VM through the portal, unlike yours, its allowing me to create the VM(Validation is being passed and the policy is not restricting the creation of VM) Any help?

Deepanshu katara 4,905 Reputation points

2024-04-09T07:54:36.5966667+00:00

Because resource type spelling seems wrong , it should be Microsoft.Compute/virtualMachines

Please find below exact names of resource type you may require

Microsoft.Compute/virtualMachines

Microsoft.Network/networkInterfaces

Microsoft.Network/virtualNetworks

Microsoft.Network/publicIpAddresses

Microsoft.Network/networkSecurityGroups

Priyanka Varma 60 Reputation points

2024-04-09T07:58:50.9466667+00:00

Sorry...Sorry, I changed the field type, and it is restricting the manual creation from the policy but also restricting the creation of Vm from Spn's account

Deepanshu katara 4,905 Reputation points

2024-04-09T10:18:36.1066667+00:00

I think to create VM with only using MS Entra ID applications currently not supported in policy , currently it is only available for Create server with Microsoft Entra-only authentication enabled in Azure SQL https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-only-authentication-create-server?view=azuresql&tabs=azure-portal
Sign in to comment

How can I create a custom Azure policy to prevent/deny manual resource creation in resource groups while allowing automated creation through GitHub Actions or Azure Automation?

0 additional answers