Create Azure Policy to add role to resource group

Mateusz 0 Reputation points
2024-02-15T21:32:33.2+00:00

Hello. I would like to create Azure Policy on subscription that will ensure, that to all resource groups (new and existing) that starts with 'xyz-' a role 'owner' will be granted to user with ID 'principalId'. Here is my code:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "value": "[startsWith(field('name'), 'xyz-')]",  
          "equals": "true"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Resources/subscriptions/resourceGroups",
        "name": "current",
        "evaluationDelay": "AfterProvisioning",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "targetPrincipalId'": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "type": "Microsoft.Authorization/roleAssignments",
                  "apiVersion": "2022-04-01",
                  "name": "group-owner",
                  "properties": {
                    "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
                    "principalId": "[parameters('targetPrincipalId')]"
                  }
                }
              ]
            },
            "parameters": {
              "targetPrincipalId": {
                "value": "[parameters('principalId')]"
              },
              "resourceGroupId" : {
                "value": "[field('id')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {
    "principalId": {
      "type": "String",
      "metadata": {
        "displayName": "principalId",
        "description": "Principal IDs to grant 'Owner' role to groups prefixed with 'xyz-'."
      }
    }
  }
}

I can't make it work. I still see error message "ResourceGroupNotFound" in Compliance Reason field. Could you help me to solve these issues? Or maybe there is better option to achieve my goal?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sergii Bielskyi 75 Reputation points MVP
    2024-02-16T03:02:46.3766667+00:00

    You can try this example

    {
  "properties": {
    "displayName": "Require resource groups to have a specific tag",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy requires that all resource groups have a tag named 'Environment' with a value of either 'Dev', 'Test', or 'Prod'.",
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'Environment'"
        },
        "defaultValue": "Environment"
      },
      "tagValues": {
        "type": "Array",
        "metadata": {
          "displayName": "Tag Values",
          "description": "List of allowed values for the tag, such as 'Dev', 'Test', or 'Prod'"
        },
        "defaultValue": [
          "Dev",
          "Test",
          "Prod"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "not": {
              "field": "[concat('tags[', parameters('tagName'), ']')]",
              "in": "[parameters('tagValues')]"
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
  2. SwathiDhanwada-MSFT 17,726 Reputation points
    2024-02-28T07:00:34.27+00:00

    @Mateusz Here is a sample policy for your reference on how to assign permissions to specific resource group.

    {
  "properties": {
    "displayName": "Roleeg",
    "policyType": "Custom",
    "mode": "All",
    "version": "1.0.0",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "principalId": {
        "type": "String",
        "metadata": {
          "displayName": "principalId",
          "description": "The principal to assign the role to"
        }
      },
      "builtInRoleType": {
        "type": "String",
        "metadata": {
          "displayName": "builtInRoleType",
          "description": "Built-in role to assign"
        },
        "allowedValues": [
          "Owner"
        ]
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "not": {
              "value": "[startsWith(field('name'), 'xyz-')]",
              "equals": false
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Authorization/roleAssignments",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
                "equals": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
              },
              {
                "field": "Microsoft.Authorization/roleAssignments/principalId",
                "equals": "[parameters('principalId')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "principalId": {
                    "type": "string",
                    "metadata": {
                      "description": "The principal to assign the role to"
                    }
                  },
                  "builtInRoleType": {
                    "type": "string",
                    "allowedValues": [
                      "Owner"
                    ],
                    "DefaultValue": "Owner",
                    "metadata": {
                      "description": "Built-in role to assign"
                    }
                  },
                  "roleNameGuid": {
                    "type": "string",
                    "defaultValue": "[newGuid()]",
                    "metadata": {
                      "description": "A new GUID used to identify the role assignment"
                    }
                  }
                },
                "variables": {
                  "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]"
                },
                "resources": [
                  {
                    "type": "Microsoft.Authorization/roleAssignments",
                    "apiVersion": "2022-04-01",
                    "name": "[parameters('roleNameGuid')]",
                    "properties": {
                      "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
                      "principalId": "[parameters('principalId')]"
                    }
                  }
                ]
              },
              "parameters": {
                "builtInRoleType": {
                  "value": "[parameters('builtInRoleType')]"
                },
                "principalId": {
                  "value": "[parameters('principalId')]"
                }
              }
            }
          }
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  }
}
    0 comments