This is my first project in Azure. Please avoid if any mistake. I have a user group "Azure Cross Team Contributors". I want to add it in resource group contributors by default whenever I create any resource group. I got to know there is policy, But not able to write policy rule. What would be policy rule for this scenario.
Similar thread answered on Microsoft Q&A , so updating here for broader community usage. Thank you AshishMishra and DCtheGeek for helping on the thread.
Azure Policy lets you audit the compliance of the configuration of Azure Resource Manager (ARM) properties.
In some cases, such as AKS or Guest Configuration, it can also audit configuration of Resource Provider properties. While Azure Policy can be used to audit how a role definition is defined (sample here), it isn't for applying roles to specific objects. That's the domain of Azure role-based access control (RBAC).
If you want the group "Azure Cross Team Contributors" to have access to all resource groups within a subscription, an easier alternative is to grant the role assignment at the subscription scope.
There isn't a built-in role with the name "Resource Group Contributors".
Feel free to revert back if you have any further queries. Thank you.
Related
My subscription has a service principal that must have contributor rights. These rights will be inherited by all resource groups. In one resource group that has been established for over a year. for security reasons, this service principal must be prohibited from doing anything. The maximum allowed is reading. I tried using https://learn.microsoft.com/en-us/azure/governance/blueprints/overview but apparently I misconfigured or just doesn't work in my case. Since under the credential of this service principal, I was able to delete the test storage account. Could you please help me set up these policies to see if it's possible or not? Thank you.
I have a client that can only give me full access to one or two resource groups.
I need to deliver some prescripted terraform resources that contain the need for a service principal.
Can you lock an SP to a resource group? The subscription itself is a production subscription so they want to know if you can tie down using role base access just to that group.
Or should I be create a MI account?
Can you lock an SP to a resource group?
You most certainly can. Azure Role-based access control is very granular and you can apply access control at any level (management group, subscription, resource group or even at individual resource).
Please see this for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps.
What are the best practices when using Terraform to provision infrastructure on Azure? We are struggling to decide between two variants:
Create one Service principal for Terraform and give it Owner rights to the whole subscription so it can create resource groups for each environment and assign roles to service principals in resources.
Create Resource Groups and service principals for each environment manually and assign terraform's service principal Owner rights to only the Resource Group.
The first option is more convenient, but I'm worried about security concerns when giving Terraform Owner rights on the subscription level.
What would be the best solution?
When you worry about security, there should be a limit to your requirements. If you want to create resources only in one resource group or serial resource groups, and then control them for all things. I'd suggest you create a service principal and assign it the Owner role of the resource group or groups, not the whole subscription. And it's the best way for security and you also have all the rights to control the resources in that group or groups, only limit the scope to that group or groups.
Assign the Owner role to the whole subscription, it's not secure, you know, there would be some mistakes on somebody sometimes.
I would like to give members of a specific role the ability to create resource groups. Can this be achieved without giving users the co-owner role at the subscription level?
You can grant them contributor rights on the specific Azure subscription, they don't have to be co-owner. This is the least-privilege built-in role available that allows you to create resource groups.
However, you could also create a custom role with only one action:
Microsoft.Resources/subscriptions/resourceGroups/write
Read more here: Custom roles for Azure resources
I am moving a VM and its related resouces to another subscription and getting an error.
{"code":"MissingRegistrationsForTypes","message":"The subscription 'xxx' is not registered for resource types 'Microsoft.Compute/disks (eastus),Microsoft.Compute/virtualMachines (eastus)'."}
When I view the Resource Provider status in Azure portal I can see that Microsoft.Compute provider is Registred.
Any ideas on how to solve this? Thanks.
Update
I managed to solve this by creating a sample VM in East US region under that subscription, which I am guessing registered the provider.
For moving resources to another subscription, there are some limitations to that.
The source and destination subscriptions must be in the same tenant.
The resource provider must be registered in both subscriptions.
The account which you use to move the resources must have enough permission.
The service must enable the ability to move resources.
The four points above are the most important. For more details, see Checklist before moving resources.