'Azure ARM policy to deny role assignments only by resource group owners
I have a requirement where I need to deny only owners of the resource group to do new role assignments or changes to existing role assignments.
Resource group contributors and readers anyways cannot do any role assignments/modifications.
Role assignments/modifications should be done by Subscription level and Management level Owners only and of course by Admins.
I did followed this github article but there is no way to restrict only owners of resource group.
I create below policy but this denies everyone to role assignments/modifications:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Effect of this Azure Policy - Audit, Deny or Disabled"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
}
}
Solution 1:[1]
AFAIK,we can not create deny assignments directly, As shown in portal that "Deny assignments block users from performing specific actions even if a role assignment grants them access. At this time, the only way you can add your own deny assignments is by using Azure Blueprints."
To achieve this by using blueprint please refer this MICROSOFT TOTORIAL| Protect new resources with Azure Blueprints resource locks
For more information please refer the below links:-
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | AjayKumarGhose-MT |