I am trying to create Azure Custom RBAC and it accepts wildcard in action/noaction but it does not work when I try wildcard in assinableScopes.
I need to restrict permissions for certain resource group but I don't know the exact name of the resource group. However, I do know the naming convention and I would like to be able to use wildcard in the assinableScopes.
Example of what I would like to do but Azure does not allow:
{
"properties": {
"roleName": "MySampleCustomRole",
"description": "My Sample Custom Role",
"assignableScopes": [
"/subscriptions/*/resourceGroups/ABCDXYZ-*"
],
"permissions": [{
"actions": [],
"notActions": [
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
I agree with #Roderick Bant, it's not possible to use wildcards in assignable scopes.
I tried to reproduce the same in my environment and got below results:
I have few resource groups with naming convention starts with test in my subscription.
When I tried to create custom RBAC role by including wildcard in assignable scopes as test*, I got error like below:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/test*/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01
{
"properties": {
"roleName": "MySampleCustomRole",
"description": "My Sample Custom Role",
"assignableScopes": [
"/subscriptions/<subID>/resourceGroups/test*"
],
"permissions": [{
"actions": [],
"notActions": [
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
}
Response:
Use below CLI command to get the exact name of resource groups with naming convention test :
az group list --query "[?contains(name,'test')].name"
Response:
Instead of including wildcard in assignableScopes , the only way for now is to pass the above names one by one while creating custom RBAC role like below:
PUT https://management.azure.com/subscriptions/<subID>/resourceGroups/testrg/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01
{
"properties": {
"roleName": "MySampleCustomRole",
"description": "My Sample Custom Role",
"assignableScopes": [
"/subscriptions/<subID>/resourceGroups/testrg",
"/subscriptions/<subID>/resourceGroups/testsri",
"/subscriptions/<subID>/resourceGroups/testdevi"
],
"permissions": [{
"actions": [],
"notActions": [
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
}
Response:
When I checked the same in Portal, the above custom role is available in only test* resource groups as mentioned in assignableScopes like below:
testrg:
testsri:
testdevi:
When I checked the same in other resource groups from same subscription, custom role is not available like below:
Reference:
Azure custom role definition with special AssignableScopes - Stack Overflow by Joy Wang
Related
I created conditional access policy using this from my previous question reply here. It's working as expected.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
I want to change few properties like roles to User administrator and grantControls to allow access with mfa in this existing policy from Graph.
In Portal, we have edit option but is this possible from Graph? How to achieve that?
TIA
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have one existing conditional access policy with below properties:
To update this policy via Graph API, make use of below query based on your requirement:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id>
Content-type: application/json
{
"displayName": "Require MFA to User Administrators.",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"fe930be7-5e62-47db-91af-98c3a49a38b1" //ID of User Administrator role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
Response:
When I checked the same in Portal, properties updated successfully like below:
You can get the id of User Administrator role like below:
Go to Azure Portal -> Azure AD -> Roles and administrators -> All roles -> User Administrator
UPDATE:
You can get the id of policy using below query:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=displayName eq 'policyName' &$select=id,displayName
Response:
I want to create a custom role for developers.
With this custom role the developers should have contributor access to the resource group "TestRessourceGroup" and all its stored resources but the developers should not have the permission to delete this resource group or individual resources within the resource group.
This is what I have so far:
{
"properties": {
"roleName": "Contributor without permission to delete resources",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
The developers should still be able to:
delete blobs and containers within a Storage Account
delete compute instances or compute clusters within AMLS
What do I need to add so that users with this custom role cannot delete a resource group or individual resources (like Storage Accounts, Databricks, Key Vaults, AMLS .....) within the resource group but anything else is working like with the normal contributor access?
In you don't want to include resource deletion, the easiest way is to add */delete in the the notActions array:
{
"properties": {
"roleName": "Contributor without permission to delete resources",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"*/delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
You could then having another role to allow users to delete resources inside Machine learning workspace:
{
"properties": {
"roleName": "Allow ML workspace resources deletion",
"description": "",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
If you create an AAD group and assign these two roles to the group, it should work.
I'm working on testing out using GitHub and GitHub Actions to do policy as code for Azure. I have been successful in following the tutorials that Microsoft has where you export the policy you want to manage to GitHub from the Azure portal. This works fine and I'm able to edit and run the workflows to update Azure with changes to policies.
What I'd like to know is, can you create NEW policies in GitHub and push them to Azure? It seems that you need to first export a custom policy from Azure into GitHub, then you can manage that policy. I say this because when I create a new policy and a workflow for that policy I get the following error in GitHub from the workflow:
> Did not find any policies to create/update. No policy files match the
> given patterns or no changes were detected.
The policy I have in the folder is called "policy.json"
I also see:
Error occured while reading policy in path :
policies/global_tagging_policy. Error : Error: Path :
policies/global_tagging_policy. Property id is missing from the policy
definition. Please add id to the definition file.
That leads me to believe I need an ID prior to being able to push a policy, that says to me that Azure must have assigned one... I can't just make one up.
This is the policy I'm trying to push - just a tagging policy for testing, I don't have an ID in there, I read that you don't need to add one... that Azure would do it for you. Am I wrong?:
{
"properties": {
"displayName": "test-policy",
"description": "this is a test policy",
"mode": "indexed",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}
]
}
}
}
}
This tripped me up too so I did some exploring of the APIs and files. I've written about this in greater detail here.
To create a custom Policy, Initiative or Assignment file using GitHub Actions you'll need to generate an id, name & type at the root of the JSON.
The name property needs to be unique at the scope you assign it, I use GUIDs for this but you don't have to. Bear in mind if you define/assign at the Management Group scope then the name needs to be 24 characters or less.
The type denotes the type of file, the options are:
Microsoft.Authorization/policyDefinitions --> Policies
Microsoft.Authorization/policySetDefinitions --> Initiatives
Microsoft.Authorization/policyAssignments --> Assignments
The id is a bit more complex, and is a concatenation of the name and type values with other values mixed in.
The prefix depends on the scope which you want to define your Policy/Initiative/Assignment.
For Management Groups it would be:
/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000
Subscriptions would be:
/subscrptions/00000000-0000-0000-0000-000000000000
Resource Groups:
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup
This is followed by: providers in all cases
Next is the type value, so whatever you've used for that use again here.
Finally the last segment of the id is the same value you've used for the name property.
In one line that is
/{scope}/providers/{type}/{name}
So as an example:
Policy Definition scoped at a Management Group
{
"id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/5f44e572-5d2d-4edf-9d61",
"name": "5f44e572-5d2d-4edf-9d61",
"type": "Microsoft.Authorization/policyDefinitions",
"properties":{}
}
Policy Definition scoped at a Subscription
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8e4a8c58-1938-4467-8698",
"name": "8e4a8c58-1938-4467-8698",
"type": "Microsoft.Authorization/policyDefinitions",
"properties":{}
}
Initiative scoped at a Management Group
{
"id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/be09f23f-0252-4d8a-a805",
"name": "5f44e572-5d2d-4edf-9d61",
"type": "Microsoft.Authorization/policySetDefinitions",
"properties":{}
}
Initiative scoped at a Subscription
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/8e4a8c58-1938-4467-8698",
"name": "8e4a8c58-1938-4467-8698",
"type": "Microsoft.Authorization/policySetDefinitions",
"properties":{}
}
When I use az login using service principal
e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”
It will show the all the list of subscriptions which it has access like
[
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "215645",
"isDefault": true,
"managedByTenants": [],
"name": "Sub1",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "rr",
"isDefault": false,
"managedByTenants": [
{
"tenantId": "123"
}
],
"name": "Sub2",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
...
...
]
Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.
Question: How to get all the list of resources within sub2 that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2.
I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is
Is there any cli command or graph API to retrieve that information ?
P.S:I don't know the scope or resource where the SPN is assigned too
If you want to list the role assignments for a specific user, you can use the az role assignment list command.
az role assignment list --assignee {assignee}
Note: To view role assignments for the current subscription and below, add the --all parameter:
az role assignment list --assignee {assignee} --all
If you are already logged in with the service principal, you can omit the --assignee parameter
In Office365, we are uploading a file “File1” to OneDrive using the user “UserA”. We then are getting the permissions of that file using the graph api (https://graph.microsoft.com/me/drives/[DriveId]/items/[itemId]/permissions) and get back permissions as we would expect:
"permissions": [
{
"grantedTo": {
"user": {
"email": "UserA#wherever.com",
"id": "ef7bd4af-3f36-4e81-9f76-296f4956b807",
"displayName": "User A"
}
},
"id": "aTowIy5mfG1lbWJlcnNoaXB8ZGRyYXBlckBmaXJlbGF5ZXJzLm9ubWljcm9zb2Z0LmNvbQ",
"roles": [
"owner"
]
}
]
However, we are then uploading the same file (using the same user) to a newly created SharePoint site named “Site1” and getting the permissions for that file (again using the graph api). Unlike with the OneDrive file permissions, the permissions returned for this SharePoint file do NOT contain “UserA” but include only 3 site-specific groups (which seem to be created automatically when creating a new SharePoint site)
"permissions": [
{
"grantedTo": {
"user": {
"displayName": "Site1 Owners"
}
},
"id": "QXRoYXlUZXN0IE93bmVycw",
"roles": [
"owner"
]
},
{
"grantedTo": {
"user": {
"displayName": " Site1 Visitors"
}
},
"id": "QXRoYXlUZXN0IFZpc2l0b3Jz",
"roles": [
"read"
]
},
{
"grantedTo": {
"user": {
"displayName": " Site1 Members"
}
},
"id": "QXRoYXlUZXN0IE1lbWJlcnM",
"roles": [
"write"
]
}
]
When listing all groups for the SharePoint site, none of these 3 groups are listed. A group named “Site1” does however but doesn’t contain any users added to any of these 3 groups.
How do we get additional information for these groups (i.e. the users who are a part of a given group) using the graph API / is that even possible?
I am not sure that it is possible via the Graph API but SharePoint does have a RESTful API that focuses on users and groups and that should be helpful. It does include extensive examples here:
https://msdn.microsoft.com/en-us/library/office/dn531432.aspx