Azure Policy to disallow Storage account creation
Question
I'm an Azure administrator, and seems like some users can create Azure Storage Accounts without my consent. I would like to see how I can enforce a policy such that I'm the only user that can create them and other users won't be able to do so. I know there are multiple ways to do it, however I'm mostly inerested in a custom policy in Azure. I couldn't really find any examples online. Please note I'm going to use this policy so that it can overwrite any existing RBAC roles etc. Can't go any further with the JSON code below.
{
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts",
"like": "*"
}
]
},
"then": {
"effect": "deny"
}
}
2 answers
solution1
0 2021-04-10 10:36:26
You almost did it but with minor mistake. HEre is working example
Create policy
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Then during assignment set non-complient message
So now anyone who wants to create will see this
solution2
0 2021-04-11 17:53:24
There is a built-in, strongly typed Azure Policy Definition out there. Using it will allow you to easily block next services in the future by changing the assignment parameters.
(/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.