Share via

Blocking deployments initiated by Copilot using Azure Policy

Caroline CAH 20 Reputation points
2024-07-26T13:39:58.9033333+00:00

Hello Azure Community,

I am investigating potential solutions to block deployments initiated specifically by Copilot in our Azure environment. Our goal is to prevent deployments initiated by Copilot while allowing other deployments to continue without interruption.

Options considered:

  1. Creating a custom Azure Policy to specifically block deployments that are initiated by Copilot. Our goal is to prevent any deployments initiated by Copilot while allowing other deployments to proceed without interruption.
  2. Copilot for Azure admin center https://learn.microsoft.com/en-us/azure/copilot/manage-access#manage-user-access-to-microsoft-copilot-in-azure

Here is the draft of the policy rule I have considered:

{
  "mode": "All",
  "parameters": {},
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "tags['InitiatedBy']",
          "equals": "Copilot"
        },
        {
          "field": "type",
          "equals": "Microsoft.Resources/deployments"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

Kind regards,

Caroline Cah

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,014 questions
Microsoft Copilot | Other
0 comments
Accepted answer
  1. Prashant Kumar 790 Reputation points Microsoft Employee
    2024-07-30T06:50:53.87+00:00

    Hi Caroline,

    Unfortunately, Users cannot use Azure Governance Policy to restrict deployments initiated through -Microsoft Copilot in Azure (preview).

    When any deployment operation is triggered through any Copilot prompts - Guided or Quick deployments, it does not create the resource with any such property that can differentiate it with other non- copilot deployments. So, policy cannot be applied to restrict it.

    The only option currently available is to limit the users/groups who can access Copilot and manage the resources through that.

    Reference Article for controlling Access: https://learn.microsoft.com/en-us/azure/copilot/manage-access#manage-user-access-to-microsoft-copilot-in-azure

    Copilot Capabilities:

    https://learn.microsoft.com/en-us/azure/copilot/capabilities

    https://learn.microsoft.com/en-us/azure/copilot/use-guided-deployments

    Since Copilot is in Preview, I strongly recommend sharing this as product feedback to allow some options to detect the copilot-initiated deployment by "user prompts" and restrict it - https://feedback.azure.com/d365community/

    Through some automatically appended tags for the copilot-initiated deployment resources.

    More granular RBAC access to control the copilot-initiated deployments.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.