Restrict a managed identity to be attached in only one subscription

박은수 0 Reputation points
2024-12-16T14:06:04.98+00:00

Hi.

In our org, we are sharing a single tenant with other teams by assigning a subscription to each team.

When I use managed identity for cloud identity federation, I recently found out that other team members using another subscription in the same tenant can attach the managed identity I have created in my subscription because MI is a service principal registered to the tenant Entra ID. Of course, they cannot access azure resources in my subscription but they can access the resources in the other cloud that our team is managing.

I have searched and found that I can restrict the MI to be attached only in my subscription via Azure AD Conditional Access, but I don't have tenant-level permission.

Can I implement this as a subscription owner under which the managed identity is created?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,856 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Akpesiri Ogbebor 620 Reputation points
    2024-12-17T08:11:14.4033333+00:00

    Hello.

    Thank you for sharing your issue on Microsoft Q&A.

    I understand you are having issues restricting MI at the tenant level.

    No. Restricting managed identity attachment via Conditional Access or other tenant-level controls requires administrative privileges of Entra ID (Azure AD). As a subscription owner, you do not have the necessary directory-level permissions to implement these restrictions. The enforcement of where a user-assigned managed identity can be attached is primarily a tenant-level operation, not a subscription-level one.

    Please let me know if you need further assistance.

    Thanks

    Siri

    0 comments No comments

  2. Navya 14,300 Reputation points Microsoft Vendor
    2024-12-17T18:40:23.71+00:00

    Hi @박은수

    Thank you for posting your question on Microsoft Q&A.

    I understand that the issue you are facing is that other team members using another subscription in the same tenant can attach the managed identity.

    This is because managed identities are service principals registered to the tenant, not to a specific subscription. Therefore, any user or application with sufficient permissions can attach the managed identity to a resource in any subscription within the same tenant.

    To restrict the managed identity to be attached only in your subscription, you can define a separate management group with policy assignments or Azure role assignments that are more suited to your subscription. By default, a subscription that you add in a tenant becomes a member of the root management group. If you assign policy assignments, Azure RBAC, and other governance constructs to the root management group, they immediately affect these new subscriptions.

    Configuring hierarchy settings requires Microsoft.Management/managementgroups/settings/write and Microsoft.Management/managementgroups/settings/read on the root management group.

    To configure this setting in the Azure portal, follow these steps:

    1.Use the search bar to search for and select 'Management groups'.

    2.On the root management group, select details next to the name of the management group.

    3.Under Settings, select Hierarchy settings.

    4.Select the Change default management group button.

    5.Create a new management group and add your subscription to it.

    6.Assign the managed identity to the new management group.

    For more information, you can refer to the following documentation: https://learn.microsoft.com/en-us/azure/governance/management-groups/how-to/protect-resource-hierarchy

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.