Azure Policy: Deny external accounts with write permission

Inbal Silis 116 Reputation points Microsoft Employee
2022-06-15T08:53:41.927+00:00

Do you know if Azure policy can block external/guest user from getting read/write/owner permissions?
For example, I have this policy from Defender for Cloud: “External accounts with read permissions should be removed from your subscription”
Now, the policy is only Audit and assess/post creation.
I found this great policy in git: azure-policy/samples/Authorization/allowed-role-definitions at master · Azure/azure-policy (github.com)
The question if there can be option to add condition with guest user .
How can I relate in Azure policy to external/guest user?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
936 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stanislav Zhelyazkov 25,321 Reputation points MVP
    2022-06-16T12:23:22.383+00:00

    Hi,
    Basically, Azure does not know if the account is external/guest. This information is checked against Azure AD. As Azure Policy works only within the boundaries of Azure and cannot work on Azure AD this is not possible. Policy 'External accounts with read permissions should be removed from your subscription' works in a way that Defender for Cloud (Azure Security Center) does the check if that there are external accounts that have role assignments on Azure based on schedule and by looking if account is external trough Azure AD. The results are then published to API on Azure. The Azure Policy goes and checks the results for that API. The mentioned sample does checks against role assignments API (Microsoft.Authorization/roleAssignments) but the API does not know if the account is external or not. So the short answer is not possible to do this via Azure Policy.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.