This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
Is it possible to bypass Azure policy for specific AD users or AD groups while creating objects in AKS
Hey @KarishmaTiwari-MSFT , could you please help on this. Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@Tanul Let me investigate it and get back to you. Thanks.
@KarishmaTiwari-MSFT Thanks
Hope you are doing well. Did you get any update on this.
Hello @Tanul !
Do you have an update on your issue ?
In case any answer helped kindly mark it as Accepted and upvote so others can benefit as well!
Regards
Hello @Tanul !
Can you try the following :
One way to do this is to use policy exemptions, which allow you to exclude specific resources or resource groups from policy enforcement. To create a policy exemption, you would need to create a new policy assignment with a higher priority than the policy that you want to bypass, and then configure the policy assignment to exclude the specific resources or resource groups that you want to exempt.
To exclude specific AD users or AD groups from policy enforcement, you can use the "NotIn" condition in your policy rules to exclude the user or group from the policy scope. For example, you could create a policy rule that requires AKS resources to be created in a specific resource group, but exclude a specific AD group from the policy scope:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/ManagedClusters"
},
{
"not": {
"field": "tags['ExcludeFromPolicy']",
"equals": "True"
}
},
{
"not": {
"field": "owner",
"in": "[parameters('ExcludedADGroups')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
Here, the policy rule denies the creation of AKS resources if they are not tagged with "ExcludeFromPolicy" or if the resource owner is not a member of an AD group specified in the "ExcludedADGroups" parameter.
If the Answer is helpful, please click "Accept Answer" and upvote it.
Regards
Its not about creating resources at Azure level. Its regarding creating pods, deployments inside kubernetes.
Consider we have a policy not allowing pod creation with root privileges. Is it possible to bypass this scenario if users from specific AD group try to deploy the same pod via kubectl command.
I need to make azure policy applicable for normal or ci/cd users. But Admin or SRE needs full control to debug the AKS. In such cases policies might create hindrances for them when they try to deploy K8s objects for debugging.
Hello
Then this is what you need :
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have further questions about this answer, please click "Comment".
Regards
But how to do that. I read these links. Its not specified anything related to bypass the policy for specific azure ad users/groups
Hello @Tanul
I thnk this link can help a lot
https://dev.to/cse/bypassing-policies-in-azure-29fc
Kindly post an update
If this heped please mark it as Accepted!
Regards
But how to specify details of AD groups or users in it. Do you have any sample. This one I have checked before. What to specify in if condition
Hello @Tanul
Removed - No option for Principal in Policy
I am working on a solution for this
I am afraid i cannot make it happen without an integraton , for example Azure Functions
But i am not positive or negative yet
I thought that this was already there , but it is not you are right!
Funny thing , it occured to me as a need , so if you kindly can wait , in case a solution i am working now does what we need , we can both benefit !
I have a question though
The otion to lock the specific resource group so only a specific Object ID has Permissions is not acceptable ?
For example , a Resource Group where a SPECIFIC group has permissions ? or each resource group which starts with a specific prefix ?
Regards
Removed - Please wait for Update!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 22%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
is there any luck on this, i am also having same requirement but cant find option to exclude user principal or ad groups in policy definition.