Azure custom role: authorize role assignment for a specific set of roles

Question

I am trying to create a custom role in Azure that would allow Subscriptions "owners" to do quite everything but cancelling/renaming their own subscriptions or moving into another management group.

I would also like them to be able to grant right access to who they want (especially built-in "Contributor" role) but without allowing them to grant "Owner" right, otherwise my custom role could be tricked easily.

I ended up with the following custom role definition which is so far nice and working, apart from the role assignment of course:

{
  "Name": "MyCustomRole",
  "IsCustom": true,
  "Description": "Role designed for Azure subscriptions ownership limitations",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Management/managementGroups/subscriptions/write",
    "Microsoft.Subscription/cancel/action",
    "Microsoft.Subscription/rename/action"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/root.mg"
  ]
}

In the Azure documentation, the only operation I found for role assignment is Microsoft.Authorization/roleAssignments/write.

Is there any way to restrict that - to Contributor role assignment for instance - directly in the custom role?

Azure Policy might technically do the trick (not even sure), but since some operational/experts/whatever guys might end up as Owner, I do not want the policy engine to display "non-compliant" resources. It would lead customers to misunderstandings that I would like to avoid.

Answer 1

You might want to try Azure Policy, which you can apply on top of your IAM model. You can assign a policy on the Subscription or Management Group level, based on your governance structure.

Policy definition below will block EVERY request trying to assign "Owner" role with no exception. Built-in Owner role is represented by "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", same GUID across all Azure tenants.

However Role assignments of other RBAC roles would still be possible. This should fullfill your use case.

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

{
  "policyType": "Custom",
  "mode": "All",
  "displayName": "DenyOwnerAssisgnment",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
          "contains": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
        },
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "type": "Microsoft.Authorization/policyDefinitions"
}

Answer 2

To my knowledge - no, you cannot be granular. you can only restrict a specific action.

ps. technically this is correct. but the policy usage above is really clever ;)

Answer 3

Yes it should be possible when you assign a policy, so it's not part of the definition but assignment. You can assign policy on the subscription-level scope, and exclude resource groups. You can do that via "notScopes".

Please see Azure Policy docs for how to do this (chapter Excluded scopes)

The scope of the assignment includes all child resource containers and child resources. If a child resource container or child resource shouldn't have the definition applied, each can be excluded from evaluation by setting notScopes. This property is an array to enable excluding one or more resource containers or resources from evaluation. notScopes can be added or updated after creation of the initial assignment.

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure

You can include excluded scopes in the portal when assigning Policy or through PowerShell by including -NotScope parameter.