![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 53%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,368 questions
Hi,
Enforcing deployments only by service principals it is not possible. The only way to semi-achieve this is by giving appropriate permissions to deploy/create resources to service principals only and for all other accounts to give only reader permissions. In case some actions needs to be done by users you can use Entra PIM to allow access temporary. That is usually a standard practice. If you want to limit the access to resources deployed by IaC I would suggest to look at Azure Bicep and deployment stacks. Deployment stacks allows for locking the resources so they cannot be modified outside of the deployment stacks deployment. Alternatively you can look at Azure Policy deny action as a way to protect resources.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 77%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)