Restrict azure role assignment only to group by azure policy

Question

I want to make an azure policy to restrict giving user's direct access to azure resource. Administrator should give access to security group not a single user.

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleAssignments"
      },
      {
        "field": "Microsoft.Authorization/roleAssignments/principalType",
        "equals": "User"
      }
    ]
  },
  "then": {
    "effect": "audit"
  }
}

I created this policy rule and assigned to a specific subscription. But nothing happened. No resource is checked. There are 5 different role assignments assigned on this subscription.

Answer 1

I created one Azure Policy definition in the json format below:-

{ 

  "properties": { 

    "displayName": "Allow azure ad role assignments only to groups and not user level", 

    "policyType": "Custom", 

    "mode": "All", 

    "description": "This policy will allow admins to only assign role assignment at group level and not user level", 

    "metadata": { 

      "category": "Azure Active Directory", 

      "createdBy": "a5487xxxxxxx9a7", 

      "createdOn": "2022-12-15T15:14:30.5246747Z", 

      "updatedBy": "xx487xxxxxa9a7", 

      "updatedOn": "2022-12-15T15:39:26.9459792Z" 

    }, 

    "parameters": {},    

    "policyRule": { 

      "if": { 

        "allOf": [ 

          { 

            "field": "type", 

            "equals": "Microsoft.Authorization/roleAssignments" 

          }, 

          { 

            "anyOf": [ 

              { 

                "field": "Microsoft.Authorization/roleAssignments/principalType", 

                "equals": "User" 

              } 

            ] 

          }, 

          { 

            "anyOf": [ 

              { 

                "not": { 

                  "field": "Microsoft.Authorization/roleAssignments/principalType", 

                  "equals": "Group" 

                } 

              }, 

              { 

 

                "not": { 

                  "field": "Microsoft.Authorization/roleAssignments/createdBy", 

                  "in": [ 

                    "a548xxxxca2fa9a7" 

                  ] 

                } 

              } 

            ] 

          } 

        ] 

      }, 

      "then": { 

        "effect": "deny" 

      } 

    } 

  }, 

  "id": "/subscriptions/0151xxxe2b6xxxa7/providers/Microsoft.Authorization/policyDefinitions/1xxx1c", 

  "type": "Microsoft.Authorization/policyDefinitions", 

  "name": "18dxxx1c", 

  "systemData": { 

    "createdBy": "sidxxi@outlook.com", 

    "createdByType": "User", 

    "createdAt": "2022-12-15T15:14:30.4550288Z", 

    "lastModifiedBy": "sidxxdesai@outlook.com", 

    "lastModifiedByType": "User", 

    "lastModifiedAt": "2022-12-15T15:39:26.9052179Z" 

  } 

Now, I am assigning this policy at the subscription level in azure.

After assigning this Policy when I tried to add UserB Contributor role at subscription level I could not assign the policy as it got denied: -

Now, Admin cannot assign any user with any Azure RBAC role assignments. So users do not have any access to any resources in Azure.

Now, I tried to add Azure Policy to azure group and the group got the contributor role assigned successfully, Refer here:

Role got assigned successfully to DnsUpdateProxy Group

Note:

But this Policy does not work at azure ad role level, when I tried to assign Azure AD application administrator role with my global administrator account to UserB, the role was assigned successfully, If you assign this role at Group level the users inside the group will have all the roles assigned to them by inheritance,

Note-

1. Azure RBAC roles which are used to provide users access to resources are different than Azure AD roles which are used to perform azure AD, Microsoft 365, Intune, exchange Identity etc related tasks.
2. Also, Azure Policies are applied at subscription, management group, Resource group or at the resource level. And they cannot be explicitly applied at Azure AD objects. Users, Groups, Device, applications, these are all Azure AD objects.

Also Note-

By default when you create a new user or invite a New User in your Azure AD tenant the user does not have any Azure Ad role assigned unless global administrator assigns the role to that user.

Only the user with Global administrator role can assign Azure AD roles to other Users or groups. The User themselves cannot assign any roles. Also, its not possible to assign Azure AD roles only to Azure security group and not to users.

It is possible with RBAC as above but not with Azure AD roles as Global administrator role comes with complete access to all the features and services in Azure tenant and you cannot restrict Global administrator from performing any tasks in Azure AD.

For now, There's no feature in azure to restrict global administrator to apply roles only at Security group level and not at user level. Also, there's no Azure policy to restrict this yet. As a workaround, You can have 1 User with global administrator role assigned who can create all the roles for your users and groups. Other users apart from global administrator role cannot add assignment to users.

I have added user Administrator role to UserB, Still UserB cannot perform Add assignment task as its greyed out and only supported for Global administrator role, refer below:-

This applies for all the users except for the user with global administrator role. I am able to add assignments with my global administrator account , refer below:-

Thus, You can have just one global administrator and other users won't have access to any Azure AD feature unless your global administrator assigns them Azure Ad roles.

References:

1. https://learn.microsoft.com/en-us/answers/questions/857740/azure-arm-policy-to-deny-role-assignments-only-for.html
2. Azure Policy to restrict role based access control(IAM) to users at Resource group level in Azure