Is there any in built role to deny permission to create resources in az subscription except some users. I.
I have used 'not allowed resources types' policy but it applies to whole subscription.
I Tried to reproduce the same in my environment to deny the resource creation in Azure:
Thanks to Tiny Wang for suggesting the same.
Assign Reader role to Users or Group for restricting resource creation in Azure, like below.
Azure Portal > Subscription > Select your subscription > Access control (IAM) > Add > Add role assignment.
Reader role assigned.
When I tried to create Azure VM within Subscription, I got an authorization error with the same user.
Note: if you create an Azure policy to deny the resource creation, the policy will apply to the scope level, not to users.
Ex: Subscription, Resource Groups
I have created a policy and assigned it to the resource group scope to deny resource creation within a resource group.
When I tried to create any resource, I got a policy restriction error.
Azure Policy rule:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourcesTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
},
"parameters": {
"listOfResourcesTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not Allowed Resources creation",
"description": "The list of resources type that cannot be deployed.",
"strongType": "resourceTypes"
}
}
}
}
Related
I'm trying to write an ARM template to deploy a connection to the storage account for my Logic App. The problem is that my Logic App belongs to one resource group & the storage account in another.
When I run the deployment pipeline I get the following deployment error:
The Resource 'Microsoft.Storage/storageAccounts/StorageAccountName'
under resource group 'Logic App Resource Group' was not found.
I understand that the storage account does not belong to this resource group but how do I write the ARM template to look for the storage account from another group?
Here is my template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('storageConName')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"displayName": "[parameters('storageConName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(variables('storageAccountId'),'2019-06-01').keys[0].value]"
},
"api": {
"id": "[concat('/subscriptions/',parameters('resourceGroupId'),'/providers/Microsoft.Web/locations/northeurope/managedApis/azureblob')]"
}
}
}
I've worked out what was wrong, the properties:api:id was using the logic App resource group id where it should be using the storage accounts resource group id.
I misunderstood that this was the resource group where I wanted the connection to be created.
I have written some automation (using az command line) that creates virtual machines for us.
However, since users have contributor access to the various subscriptions they login to the portal and create the vm's manually.
I would like to prevent the users from creating the vms by logging into the portal.
How do I leverage Azure Policy to enforce this ?
I tried to reproduce this scenario on my end and was able to restrict users with Contributor Role from creating VM via Portal.
I created one Policy Definition like below: -
"parameters": {},
"policyRule":
{
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"contains": "a8f97275-2685-41ce-a61d-dc550cd090f8"
}
]
},
"then":
{
"effect": "deny"
}
}
And assigned this policy at the subscription level: -
I have one user with Contributor role like below:
Now, when the user with Contributor role tried to create a VM, the VM creation was disallowed by the Policy like below:
I have a setup which uses Azure AD B2C and I want to enable monitoring using Azure Monitor.
I followed the steps described on this page: https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
It works, but before I enroll it to other environments I would like to verify what changes the ARM template being referred to in the documentation exactly made. If I interpret the ARM template correctly it creates a Managed Services Registration Definition and assigns this to provided resource group.
Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?
ARM Template:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"type": "string",
"metadata": {
"description": "Specify a unique name for your offer"
},
"defaultValue": "<to be filled out by MSP> Specify a title for your offer"
},
"mspOfferDescription": {
"type": "string",
"metadata": {
"description": "Name of the Managed Service Provider offering"
},
"defaultValue": "<to be filled out by MSP> Provide a brief description of your offer"
},
"managedByTenantId": {
"type": "string",
"metadata": {
"description": "Specify the tenant id of the Managed Service Provider"
},
"defaultValue": "<to be filled out by MSP> Provide your tenant id"
},
"authorizations": {
"type": "array",
"metadata": {
"description": "Specify an array of objects, containing tuples of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers."
},
"defaultValue": [
{
"principalId": "<Replace with group's OBJECT ID>",
"principalIdDisplayName": "Azure AD B2C tenant administrators",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
},
"rgName": {
"type": "string",
"defaultValue": "<Replace with Resource Group's Name e.g. az-monitor-rg>"
}
},
"variables": {
"mspRegistrationName": "[guid(parameters('mspOfferName'))]",
"mspAssignmentName": "[guid(parameters('mspOfferName'))]"
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2019-06-01",
"name": "[variables('mspRegistrationName')]",
"properties": {
"registrationDefinitionName": "[parameters('mspOfferName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[parameters('managedByTenantId')]",
"authorizations": "[parameters('authorizations')]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "rgAssignment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
],
"properties":{
"mode":"Incremental",
"template":{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationAssignments",
"apiVersion": "2019-06-01",
"name": "[variables('mspAssignmentName')]",
"properties": {
"registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
}
}
]
}
}
}
],
"outputs": {
"mspOfferName": {
"type": "string",
"value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
},
"authorizations": {
"type": "array",
"value": "[parameters('authorizations')]"
}
}
}
Here, Msp offer and Msp description refers to the ARM template publication. Whenever you want to create your own managed service in the ARM template you assign one Msp offer for your service and description and send it to customers for use or even upload the template in Azure marketplace.
MSP is managed service offering, Where Microsoft cloud partners create their own managed service and make it available to their customer’s tenant privately for specific users or publish it publicly in Azure Marketplace to get more customers using their Service.
Imagine a scenario, where you are a MS partner managing multiple customers and their tenants, You require to create a managed service for your customer and provide them delegated access to your service, Here you first create an ARM template to onboard your customers, you can do it via Azure Lighthouse too. For onboarding you keep, Msp offer ID which is unique for individual customers also if you want to keep the offer ID default for all customers, Even that can be set, After Msp offer ID, you can delegate your service to the customer by either allowing them to assign their tenant Id or service principal, group, user object ID in your template, Once that is assigned your managed service will be available for the customers to use. You can keep the offer public or private, you can also keep one managed identity for all the customers or allow customers to provide their own Object ID of their tenant’s group, users or service principals.
In the above document, ARM template is created with MSP offer in your Azure AD tenant to provide delegated access to your Azure AD B2C tenant, Thus you are managing your Azure AD B2C tenant via your Azure AD by providing resource group as a delegated resource between both the tenant and also your Group object ID which acts as a authorization between your Azure AD and Azure AD B2C tenant. If you go by above scenario- Imagine your Azure AD tenant as a partner tenant trying to provide managed service to your Azure AD B2C tenant.
I have followed the document and deployed an Azure monitoring service for Azure AD B2C
This ARM template is asking to connect the resource group from our or Azure subscription to our Azure AD B2C tenant.
It is authorizing our Azure AD B2C tenant with the group’s Object ID projecting it with Resource group of our Azure subscription.
mspOfferName- is the name of the offer or service that is being provided by our Azure subscription. Here we can give any name according to our need. For now we are integrating Azure monitor log analytics workspace with our Azure AD B2C tenant, Thus we use name – Azure AD B2C Monitoring.
mspofferDescription- Description of your service
managedByTenantID- this is going to be the Tenant ID or managed ID of your Azure AD B2C to onboard it to our subscription resource.
roleDefinitionID- is populated automatically, Which is your azure role, In my case I am using Azure subscription with Owner role, Thus the role definition Id of owner role is populated.
rgName- Is the name of our Resource group where our log analytics workspace is deployed.
After I created the Managed service- I went to go to resource and the deployment was successful.
After the deployment, I got the audit logs from azure ad b2c to my Azure log analytics successfully.
Customer statement:- “Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?”
To view what managed service is deployed, you can visit > Azure Portal > Search> Service Provider >
You will find your service provider msp like below:-
As, this managed service is not part of Azure marketplace the Marketplace offer is not visible.
You can view your resource group delegated to the azure ad b2c tenant here:-
You can also visit your Resource group and check the deployment history:-
Here, Are the deployments that were succeeded as part of managed service: -
You can also view the complete logs of these 3 deployments that were created for your managed service creation and monitoring by visiting Activity Log :-
We currently have a Packer enterprise application that is running with the Contributor Role at the subscription level.
However, we feel that the application has too much scope. Instead we would like to give it Contributor level access for just one resource group.
Therefore, Packer would be able to create its temporary resources for creating images in just one resource group and would not need permissions for anything else in the subscription.
I created a custom role via JSON as follows: (I've changed to example subscription ID and resource names)
{
"assignableScopes": [
"/subscriptions/123456789/resourceGroups/packer"
],
"description": "Custom role for packer app, with granular permssions for packer resource group",
"id": "/subscriptions/123456789/providers/Microsoft.Authorization/roleDefinitions/123456-1234-1234-1234-12345678",
"name": "123456-1234-1234-1234-12345678",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "PackerRole",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
I then created the role using Azure CLI:
az role definition create --role-definition PackerRole.json --subscription 123456789
However, I do not know how to assign it to the Packer application. It can't be assigned and doesn't appear at the subscription scope -- presumably because the custom role only has a scope of 1 resource group.
I've tried going to Azure Active Directory --> App Registrations --> Packer, but there is nowhere here to assign my custom created role. The 'Roles and Administrators' tab gives me no clarity as none of our custom roles are here, and creating a new role only seems to allow Permission actions in the format of microsoft.directory/applications/
Viewing the Managed Application page for this app provides no answers either, only allowing for User and Group assignment.
I've scoured the documentation but haven't found anything relevant to this use case so far.
You shouldn't need a custom role for this. The Contributor role is built-in and can be assigned to any scope. The reason your custom role can't be seen is that you're missing the "isCustom": true setting from the root of the object.
If you wish to assign contributor at the resource group level, you can use the Portal, PowerShell, Azure CLI, or even the REST APIs. This is known as a role assignment.
Since you seem to be using the CLI, you can assign the role at the RG scope as follows:
Assuming your application is running using a service principal:
az role assignment create --assignee <packer-service-principal> --role Contributor --scope /subscriptions/123456789/resourceGroups/packer --assignee-principal-type ServicePrincipal
If you want to use the Portal, you can go to Resource Groups -> packer -> Access control (IAM) -> Role assignments -> Add
I'm using an on-premises gateway connection in Azure and I'm trying to deploy this using an ARM-template from a VSTS deployment. The VSTS deployment has an Resource Manager end-point. It seems that the service principal cannot create the On-premises Data Gateway service in Azure because it has no permission to the registered Gateway that is located in:
/subscriptions/{subscriptionid}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/{OnPremGatewayId}
The code in the ARM template is quite straigtforward and looks like this:
{
"type": "Microsoft.Web/connectionGateways",
"name": "[variables('OnPremGatewayName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"connectionGatewayInstallation": {
"id": "[concat('/subscriptions/', subscription().subscriptionid, '/providers/Microsoft.Web/locations/', toLower(replace(resourceGroup().location,' ','')),'/connectionGatewayInstallations/', parameters('OnPremGatewayId'))]"
}
},
"dependsOn": []
},
The deployment throws this error:
"error": {
"code": "AuthorizationFailed",
"message": "The connection gateway 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' does not exist or the client with object id 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' under tenant id '********' does not have administrative rights on it."
}
}'
I've found that there is a new action added that you can assign to a role:
/Microsoft.Web/Locations/connectiongatewayinstallations/Read
I've created a role with this action and added it to the service principal, but dat didn't seem to help. I used the following script to create the role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "On premises data gateway reader"
$role.Description = "Read registered On premises data gateways"
$role.Actions.Clear()
$role.Actions.Add("/Microsoft.Web/Locations/connectiongatewayinstallations/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}")
New-AzureRmRoleDefinition -Role $role
Get-AzureRmRoleDefinition -Name "On premises data gateway reader"
How can I give the VSTS service principal administrative rights on the registered gateway?