Hi @rubberduckdev,
Thank you for reaching out to Microsoft Q&A.
This approach via Azure Policy is not going to work for the scenario mentioned in the question. The deny
affect is used to prevent a resource request that doesn't match defined standards through a policy definition and fails the request. A basic example would be that "deny all operation on a resource which does not have a particular tag. This would not not work selectively - to allow modification to one property and deny for other". This affect is not selective and will operate on the entire resource.
For the use case mentioned in the question, "Locks" and "RBAC to follow principle of least privilege" are the best way to proceed forward.
Locks: you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications.
Role based access control (RBAC): To ensure that critical resources are accessible to only those who have the requirement.
Please let me know if you have any questions.
---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.