I have written some automation (using az command line) that creates virtual machines for us.
However, since users have contributor access to the various subscriptions they login to the portal and create the vm's manually.
I would like to prevent the users from creating the vms by logging into the portal.
How do I leverage Azure Policy to enforce this ?
I tried to reproduce this scenario on my end and was able to restrict users with Contributor Role from creating VM via Portal.
I created one Policy Definition like below: -
"parameters": {},
"policyRule":
{
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"contains": "a8f97275-2685-41ce-a61d-dc550cd090f8"
}
]
},
"then":
{
"effect": "deny"
}
}
And assigned this policy at the subscription level: -
I have one user with Contributor role like below:
Now, when the user with Contributor role tried to create a VM, the VM creation was disallowed by the Policy like below:
Related
Is there any in built role to deny permission to create resources in az subscription except some users. I.
I have used 'not allowed resources types' policy but it applies to whole subscription.
I Tried to reproduce the same in my environment to deny the resource creation in Azure:
Thanks to Tiny Wang for suggesting the same.
Assign Reader role to Users or Group for restricting resource creation in Azure, like below.
Azure Portal > Subscription > Select your subscription > Access control (IAM) > Add > Add role assignment.
Reader role assigned.
When I tried to create Azure VM within Subscription, I got an authorization error with the same user.
Note: if you create an Azure policy to deny the resource creation, the policy will apply to the scope level, not to users.
Ex: Subscription, Resource Groups
I have created a policy and assigned it to the resource group scope to deny resource creation within a resource group.
When I tried to create any resource, I got a policy restriction error.
Azure Policy rule:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourcesTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
},
"parameters": {
"listOfResourcesTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not Allowed Resources creation",
"description": "The list of resources type that cannot be deployed.",
"strongType": "resourceTypes"
}
}
}
}
I'm trying to write an ARM template to deploy a connection to the storage account for my Logic App. The problem is that my Logic App belongs to one resource group & the storage account in another.
When I run the deployment pipeline I get the following deployment error:
The Resource 'Microsoft.Storage/storageAccounts/StorageAccountName'
under resource group 'Logic App Resource Group' was not found.
I understand that the storage account does not belong to this resource group but how do I write the ARM template to look for the storage account from another group?
Here is my template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('storageConName')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"displayName": "[parameters('storageConName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(variables('storageAccountId'),'2019-06-01').keys[0].value]"
},
"api": {
"id": "[concat('/subscriptions/',parameters('resourceGroupId'),'/providers/Microsoft.Web/locations/northeurope/managedApis/azureblob')]"
}
}
}
I've worked out what was wrong, the properties:api:id was using the logic App resource group id where it should be using the storage accounts resource group id.
I misunderstood that this was the resource group where I wanted the connection to be created.
I have a setup which uses Azure AD B2C and I want to enable monitoring using Azure Monitor.
I followed the steps described on this page: https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
It works, but before I enroll it to other environments I would like to verify what changes the ARM template being referred to in the documentation exactly made. If I interpret the ARM template correctly it creates a Managed Services Registration Definition and assigns this to provided resource group.
Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?
ARM Template:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"type": "string",
"metadata": {
"description": "Specify a unique name for your offer"
},
"defaultValue": "<to be filled out by MSP> Specify a title for your offer"
},
"mspOfferDescription": {
"type": "string",
"metadata": {
"description": "Name of the Managed Service Provider offering"
},
"defaultValue": "<to be filled out by MSP> Provide a brief description of your offer"
},
"managedByTenantId": {
"type": "string",
"metadata": {
"description": "Specify the tenant id of the Managed Service Provider"
},
"defaultValue": "<to be filled out by MSP> Provide your tenant id"
},
"authorizations": {
"type": "array",
"metadata": {
"description": "Specify an array of objects, containing tuples of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers."
},
"defaultValue": [
{
"principalId": "<Replace with group's OBJECT ID>",
"principalIdDisplayName": "Azure AD B2C tenant administrators",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
},
"rgName": {
"type": "string",
"defaultValue": "<Replace with Resource Group's Name e.g. az-monitor-rg>"
}
},
"variables": {
"mspRegistrationName": "[guid(parameters('mspOfferName'))]",
"mspAssignmentName": "[guid(parameters('mspOfferName'))]"
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2019-06-01",
"name": "[variables('mspRegistrationName')]",
"properties": {
"registrationDefinitionName": "[parameters('mspOfferName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[parameters('managedByTenantId')]",
"authorizations": "[parameters('authorizations')]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "rgAssignment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
],
"properties":{
"mode":"Incremental",
"template":{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationAssignments",
"apiVersion": "2019-06-01",
"name": "[variables('mspAssignmentName')]",
"properties": {
"registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
}
}
]
}
}
}
],
"outputs": {
"mspOfferName": {
"type": "string",
"value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
},
"authorizations": {
"type": "array",
"value": "[parameters('authorizations')]"
}
}
}
Here, Msp offer and Msp description refers to the ARM template publication. Whenever you want to create your own managed service in the ARM template you assign one Msp offer for your service and description and send it to customers for use or even upload the template in Azure marketplace.
MSP is managed service offering, Where Microsoft cloud partners create their own managed service and make it available to their customer’s tenant privately for specific users or publish it publicly in Azure Marketplace to get more customers using their Service.
Imagine a scenario, where you are a MS partner managing multiple customers and their tenants, You require to create a managed service for your customer and provide them delegated access to your service, Here you first create an ARM template to onboard your customers, you can do it via Azure Lighthouse too. For onboarding you keep, Msp offer ID which is unique for individual customers also if you want to keep the offer ID default for all customers, Even that can be set, After Msp offer ID, you can delegate your service to the customer by either allowing them to assign their tenant Id or service principal, group, user object ID in your template, Once that is assigned your managed service will be available for the customers to use. You can keep the offer public or private, you can also keep one managed identity for all the customers or allow customers to provide their own Object ID of their tenant’s group, users or service principals.
In the above document, ARM template is created with MSP offer in your Azure AD tenant to provide delegated access to your Azure AD B2C tenant, Thus you are managing your Azure AD B2C tenant via your Azure AD by providing resource group as a delegated resource between both the tenant and also your Group object ID which acts as a authorization between your Azure AD and Azure AD B2C tenant. If you go by above scenario- Imagine your Azure AD tenant as a partner tenant trying to provide managed service to your Azure AD B2C tenant.
I have followed the document and deployed an Azure monitoring service for Azure AD B2C
This ARM template is asking to connect the resource group from our or Azure subscription to our Azure AD B2C tenant.
It is authorizing our Azure AD B2C tenant with the group’s Object ID projecting it with Resource group of our Azure subscription.
mspOfferName- is the name of the offer or service that is being provided by our Azure subscription. Here we can give any name according to our need. For now we are integrating Azure monitor log analytics workspace with our Azure AD B2C tenant, Thus we use name – Azure AD B2C Monitoring.
mspofferDescription- Description of your service
managedByTenantID- this is going to be the Tenant ID or managed ID of your Azure AD B2C to onboard it to our subscription resource.
roleDefinitionID- is populated automatically, Which is your azure role, In my case I am using Azure subscription with Owner role, Thus the role definition Id of owner role is populated.
rgName- Is the name of our Resource group where our log analytics workspace is deployed.
After I created the Managed service- I went to go to resource and the deployment was successful.
After the deployment, I got the audit logs from azure ad b2c to my Azure log analytics successfully.
Customer statement:- “Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?”
To view what managed service is deployed, you can visit > Azure Portal > Search> Service Provider >
You will find your service provider msp like below:-
As, this managed service is not part of Azure marketplace the Marketplace offer is not visible.
You can view your resource group delegated to the azure ad b2c tenant here:-
You can also visit your Resource group and check the deployment history:-
Here, Are the deployments that were succeeded as part of managed service: -
You can also view the complete logs of these 3 deployments that were created for your managed service creation and monitoring by visiting Activity Log :-
Hi I am trying to deploy the resource using ARM template of type "Microsoft.Sql/servers/administrators"
below is the template
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('activeDirectoryUserGroupName')]",
"sid": "",
"tenantId": "[subscription().tenantId]"
}
}
I am passing the active directory user group name as parameter, "sid" is the objectId of that active directory group. So is there any way to fetch the objectId in ARM template
We have no way to get the Azure AD group object id in Azure ARM template. Because the Azure AD group is Azure AD resource. It is not Azure resource. But the ARM template is only used to manage Azure resources. For more details, please refer to the document and the document
If the want to get the AD group object id, you can use Azure Powershell command $groubId=(Get-AzADGroup -DisplayName <groupName>).Id.
What role can I assign to a user that will allow them to create resource groups? I cannot use owner or contributor because those are too powerful. The whole point is limit what various developers can do.
For example, our development teams create web apps with databases and deploy them to Azure. These resources are put in a single resource group. So the dev needs to create the app service, app service plan, sql db, app insights and resource group. But we don't want all developers to have access to many of the other resources in Azure. This is why contributor or owner is too powerful.
Also, FYI, we are working towards ARM templates deployed by pipelines but that is taking a while. So in the mean time, some of this is done manually.
All of this seems possible with RBAC except resource group.
Thanks,
Andy
You could create a custom role, then assign to the user, the Actions need to incldue the Microsoft.Resources/subscriptions/resourceGroups/write, you can also include other actions, it depends on your requirement.
Sample:
{
"Name": "Resource Group Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can operate on resource groups",
"Actions": [
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}