This question is originally from me so I'll add some more information:
- We run a distributed operating model in our organisation where a central team runs the basic shared services and common elements per account, and then each customer is responsible for their own application's azure consumption within a subscription.
- The central team (i.e. my team) takes responsibility for keeping the "foundation" elements properly configured in each subscription
- The problem child right now is protecting the basic network setup (vnet, subnets, security groups on subnets) that implement our our network zone model
- This is hard/awkward to protect using Azure Policy as it's not just a checkbox/setting that needs to be in place, it's a whole specific set of infrastructure.
- There are a whole load of other items that need prescriptive setup as well (splunk integration, virtual machine management stuff, etc) but networks is the immediate issue.
- Currently customers are given owner access to their subscription, but if we have to change that we will.
We have considered using:
- Resource Locking. Where we lock the "foundation" resources, give the customers only a custom role that can't unlock/lock anything, and set a policy to stop them attaching any roles with unlock permissions. Seems possible but awkward as hell.
- Azure Blueprint Protection (not GA, but looks like it may be designed for our use case?)
- Putting all the 'foundation' elements into a separate resource group in sub, and only granting customers access to the other resource groups in the sub (awkward and/or needs automation)
- Tagging all foundation elements as foundation and using a attribute based access control to protect them (awkward as if we let customers assign roles we'd need a policy to stop them "jail breaking" out)
- Deny Assignments (no away to set directly)
I'm assuming we're not the only person with this sort of organisation model, so not the only ones with this sort of issue.