How to exempt a particular Service Principal (SPN) / App registration from the denial actions enforced by a Azure custom policy

Priyanka Varma 60 Reputation points
2024-04-09T05:12:39.05+00:00

Hello,
I've implemented a deny policy to prevent end users from deploying unauthorized resources. However, this policy is also affecting the automation within the service principal's account.
Now, I want to find a way so that it should allow this particular service principal account to perform actions, and the policy should not deny actions performed by this particular spn.
Any help would be much appreciated

Thanks.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
798 questions
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 21,411 Reputation points MVP
    2024-04-09T06:08:24.7833333+00:00

    Hi,

    There is no way to exempt particular service principal from policy assignment. That is the point of the policy assignment to enforce for everyone. There is the options for exemption or exception. By using one of those + Azure RBAC so only specific accounts/groups have certain access you can achieve that. Of course that requires that other accounts/groups do not have that access in order to take advantage of the exception/exemption.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest