Implementing Azure Policy to Restrict Role Assignments at Subscription Level Except for Specific Service Principal

Question

I'm working on setting up an access control strategy for our Azure landing zones and need assistance with implementing a specific Azure Policy. Here's the scenario:

I want to create a custom role called "landingzone-owner" that allows users to manage role assignments only on resource groups within the subscription, without permissions to modify the subscription itself. Additionally, these users should be able to create new resource groups within the subscription.

My plan is to create a custom role that combines RBAC access permissions with the Contributor role permissions and assign it at the subscription level to "landingzone-owner" users. Furthermore, I want to deny all role assignments made at the subscription level by users, except for a specific service principal.

Could someone please assist me in creating the Azure Policy to enforce this restriction? Specifically, I need help creating a policy that denies role assignments at the subscription level for all users except for the specified service principal. Any guidance or sample policy definitions would be greatly appreciated.

Answer 1

I need help creating a policy that denies role assignments at the subscription level for all users except for the specified service principal. Any guidance or sample policy definitions would be greatly appreciated.

Here is the Azure Policy denies role assignments for all users except the specified service principal at the subscription level.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        },
        {
          "not": {
            "field": "Microsoft.Authorization/roleAssignments/principalId",
            "equals": "[parameters('allowedServicePrincipalId')]"
          }
        },
        {
          "field": "Microsoft.Authorization/roleAssignments/scope",
          "equals": "[subscription().id]"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {
    "allowedServicePrincipalId": {
      "type": "String",
      "metadata": {
        "displayName": "Allowed Service Principal ID",
        "description": "The ID of the service principal that is allowed to perform role assignments at the subscription level."
      }
    }
  }

} Policy Assignment:

Ensure that you include your Service Principal ID when assigning the policy.

After applying the policy, the policy is denying the role assignment at subscription level.

The role has been assigned to given service principal at subscription level.