I am currently helping investigate adopting Azure for my organization's public cloud. One of the tasks I have been assigned is locking down accounts to prevent users from being able to elevate their permissions within a subscription.
One of the things in particular I am interested in is denying the creation of Custom Roles, as we don't want people to go and start creating their own roles until the need for the role has been vetted by security.
I have been trying to do this via an Azure policy with the following definition
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleDefinitions"
},
{
"field": "Microsoft.Authorization/roleDefinitions/type",
"equals": "CustomRole"
}
]
},
"then": {
"effect": "Deny"
}
}
It was actually just the built in "Audit Custom Roles" policy copied over and changing the effect from "Audit" to "Deny"
However I have applied this policy to the Management Group that contains the subscription I am testing with, and yet when I login to the CLI and try and create a new custom role it goes ahead and creates the role.
I have ensured that the policy is present on the subscription, and I have confirmed that I am in the correct subscription in the CLI (using az account show) yet I am still allowed to create custom roles.
Is this just not something Azure supports, or is there something else I am missing? Any help or guidance would be greatly appreciated as the Microsoft docs and the numerous examples available online don't seem to have any information on controlling roles with policies.
P.S.
I know that you can control roles to some extent through policies as we have another policy that prevents the assignment of a certain set of roles from happening and that does work.
It looks like Azure CLI creates the role definition without populating the "type" field. The following policy will handle this:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleDefinitions"
},
{
"anyOf": [
{
"field": "Microsoft.Authorization/roleDefinitions/type",
"equals": "CustomRole"
},
{
"field": "Microsoft.Authorization/roleDefinitions/type",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "Deny"
}
}
Related
I'm trying to enforce Azure AD Only Autentication on Azure SQL Server.
There is already an Built-In Policy which enforces it only for newly
created Resources but there is still the possibility after creation
to change it back to Local SQL Admin Authentication, this gap I want to close with Azure Policy.
I tried already to create a Policy with "azureADOnlyAuthentication" property.
but this did not work and I don't get it. Does someone have any idea?
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
"notequals": true
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
While creating a policy for Azure AD only authentication in SQL server, make sure to include below attributes:
The Policy Effect: DeployIfNotExist : If condition is not met it will generate a deployment.
The ExistenceCondition : If Azure SQL Server does not accept Azure AD Authentication only, then it executes a deployment.
Deployment : Deployment property contains the ARM template, which is incremental. The parameter is filled with the expression [field(‘name’)]
Please check the below sample if helpful:
"policyRule":{
"if":{
"allOf":[
{
"field":"type",
"equals":"Microsoft.Sql/servers"
}
]
},
"then":{
"effect":"deployIfNotExists",
"details":{
"type":"Microsoft.Sql/servers/azureADOnlyAuthentications",
"existenceCondition":{
"allOf":[
{
"field":"Microsoft.Sql/servers/azureADOnlyAuthentications/azureADOnlyAuthentication",
"equals":true
}
]
},
"deployment":{
"properties":{
"mode":"incremental",
"name":"Default",}}
For more in detail please refer below link:
Azure SQL: Enforcing Azure AD Only Authentication - Simple Talk (red-gate.com)
I'm having a hard time to create a policy to deny the creation of network interfaces when the vnic is not connected to specific vnet\subnets (allowed vnets have a specific tag)
It looks like I can restrict the creation based on the network interface fields. In this case the only idea that came to my mind was to have a parameter configured with a list of allowed subnet ids, and deny based on this parameters. In this case I would need to build a separated mechanism to update this policy definition (Maybe a powershell script).
Just would like to ask if this is a good way to get it done and ask for suggestions,
Thanks
Rob
There is workaround ie built-in policy in azure “require an tag on resources” means under selected resource group when you create any resource without having any tag it will failed . Assign this policy in your resource group.
I have named tag ‘Rahul’ without Rahul Tag I won’t be able to create any resource under resource group
Here I repro and found without any specified tag I cannot able create any resources.
Was able to get it done using this:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"count": {
"field": "Microsoft.Network/networkInterfaces/ipconfigurations[*]",
"where": {
"value": "[substring(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),0,lastIndexOf(current('Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id'),'/'))]",
"notIn": "[parameters('subnetId')]"
}
},
"greater": 0
}
]
},
"then": {
"effect": "deny"
}
},
And I'll pupulate the parameter with my vnets using the Set-AzPolicyAssignment to update the parameter.
I've created a policy with the subnet as a paremeter, and will use Set-AzPolicyAssignment to update the list of allowed subnets in the policy assignment parameter – TheRob
I am trying to deny the creation of NSG rules with ports SSH & RDP exposed to any IP address. I would like the rule to be able to exist if source IP addresses are provided for restriction. I have been able to successfully block the opening of ports 22 and 3389 using Azure Policy, but haven't been able to get Azure Policy to decipher whether to allow or Deny depending on if source IPs are listed or not.
Here is the Policy:
{
"if": {
"allOf": [
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "*"
}
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "22"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "3389"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
When this Policy is applied I am still able to create a anyany NSG rule on ports 22 and/or 3389, as if the policy were not in affect. As mentioned before I did get a Policy working that blocked RDP and SSH in any situation
I pulled the fields in the Json using the Azure CLI. Here is the list:
Microsoft.Network/networkSecurityGroups/securityRules[*].protocol
Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange
Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].priority
Microsoft.Network/networkSecurityGroups/securityRules[*].direction
Microsoft.Network/networkSecurityGroups/securityRules[*].access
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules[*].description
Microsoft.Network/networkSecurityGroups/securityRules[*].provisioningState
Microsoft.Network/networkSecurityGroups/securityRules[*].name
Microsoft.Network/networkSecurityGroups/securityRules[*].etag
Microsoft.Network/networkSecurityGroups/securityRules[*]
Microsoft.Network/networkSecurityGroups/securityRules
Microsoft.Network/networkSecurityGroups/securityRules[*].id
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRanges
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].resourceGuid
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].provisioningState
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].id
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].name
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].type
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].location
Microsoft.Network/networkSecurityGroups/securityRules[*].sourceApplicationSecurityGroups[*].tags
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules[*].destinationApplicationSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules/protocol
Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRange
Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules/destinationApplicationSecurityGroups[*]
Microsoft.Network/networkSecurityGroups/securityRules/priority
Microsoft.Network/networkSecurityGroups/securityRules/direction
Microsoft.Network/networkSecurityGroups/securityRules/access
Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]
Microsoft.Network/networkSecurityGroups/securityRules/description
Microsoft.Network/networkSecurityGroups/securityRules/provisioningState
Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules/destinationAddressPrefixes
Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRanges
Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].resourceGuid
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].provisioningState
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].id
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].name
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].type
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].location
Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].tags
Microsoft.Network/networkSecurityGroups/securityRules/destinationApplicationSecurityGroups[*].etag
Microsoft.Network/networkSecurityGroups/securityRules/destinationApplicationSecurityGroups
If I could please receive some assistance on determining what I may have wrong, it would be greatly appreciated.
IMHO, this cannot be achieved using Azure Policies (alone). Azure Policies are used to enforce different rules and effects over your resources, rather than on the entities performing them.
Therefore, consider exploring other services like RBAC or Conditional Access, which offer more features and control over aspects like geo-location.
Does anyone have any idea as to how I can restrict the IP addresses added to the SQL firewall rule via policy?
I have been attempting it for a while now, my policy looks like the below... i have tried everything - is there something im overlooking? :
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.SQL/servers/firewallRules"
},
{
"Not": {
"anyOf": [
{
"field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
"in": "[parameters('StartIP')]"
},
{
"field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
"in": "[parameters('EndIP')]"
}
]
}
}
]
},
"then": {
"effect": "Deny"
}
}
But it always throws a policy error when I update the firewall rules despite whats provided in the policy assignment.
For example, if my parameters are both " 0.0.0.0;8.8.8.8 "I would think i could have the access to Azure services enabled and 8.8.8.8 but that's not the case - I just get the same old denied due to policy error.
If I use just 0.0.0.0 as the parameter on the assignment I can provision new SQL servers, with it removed I cannot which leads me to believe that to some extent, the policy is working.
I know I can do the whole vnet route and use NSGS to accomplish just about the same thing; however, my organization does not want to go this route and would rather it be done in policy.
I don't have enough reputation to comment on your question. However, make sure you are being careful with your assignment parameters when entering them in the Portal. It takes the strings as-is so if you entered " 0.0.0.0;8.8.8.8 " as you specified the leading and trailing space would mess up the comparisons.
You can check to see what the exact parameter values are in the assignment by using the Get-AzureRmPolicyAssignment powershell cmdlet (or similar Azure CLI commands). To make using the cmdlet easier the full ID of the assignment is exposed on the assignment's compliance view in the Portal.
I am trying to create an Azure policy which I can assign at the subscription level, and control the naming of the resource groups in the subscription.
Policies need to target a resource type or otherwise limit their application, else they apply globally to all resources.
What resource type (or other method) can I use to limit my validation to the resource group name only?
Here is what I am trying:
$definition = New-AzureRmPolicyDefinition -Name resourceGroupNamePatterns
-Description "Restrict resource group names to allowed prefixes only" -Policy '{
"if": {
"allOf": [
{
"not": {
"field": "name",
"like": "Pattern1-*"
}
},
{
"not": {
"field": "name",
"like": "Pattern2-*"
}
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourcegroups"
}
]
},
"then": {
"effect": "deny"
}
}'
Not sure if this question is still relevant, but at the time of posting Azure Policy did not support evaluation on resource groups.
The policy definition provided in the question is correct.
Please try updating your powershell version, and updating the policy definition. It will default to mode: all which in turn will enable policy evaluation on resource groups.
Documentation about Policy mode: https://learn.microsoft.com/en-us/azure/azure-policy/policy-definition
Mode
The mode determines which resource types will be evaluated for a policy. The supported modes are:
all: evaluate resource groups and all resource types
indexed: only evaluate resource types that support tags and location
We recommend that you set mode to all. All policy definitions created through the portal use the all mode. If you use PowerShell or Azure CLI, you need to specify the mode parameter and set it to all.
The resource groups are Microsoft.Resources/subscriptions/resourcegroups type. You can kinda infer that from the resource provider operations:
Get-AzureRmProviderOperation 'Microsoft.Resources/*'