question

MolloyFrank-7818 avatar image
0 Votes"
MolloyFrank-7818 asked JamesTran-MSFT edited

Is there a way to prevent external invited users from being in IAM roles on a subscription?

Looking to see if it's possible to prevent/block guest accounts from IAM roles on a subscription.

azure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT edited

@MolloyFrank-7818
Thank for your time and patience throughout this issue!

Deny meaning, it denies to everyone except the ones we want to have access to it?
- Yes, you can create a Deny Assignment for all principals (all users, groups, service principals, and managed identities in an Azure AD directory). However, you can exclude some principals (i.e. certain users or groups) from this Deny assignment.

It seems like a good idea for something which has limited access to begin with but sounds difficult to implement when there a lot of users and groups which have access?
- When it comes to our RBAC best practices, to make role assignments more manageable, avoid assigning roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users also helps minimize the number of role assignments.

It sounds like you're suggesting RBAC in that owners or administrators should know what type of access they are granting (or not granting) which could include not adding "guest" accounts to an IAM role?
- Yes. Users in an Owner/Admin role should follow our RBAC best practices documentation and only grant the access users need, rather than granting unneeded IAM roles to guest users.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered MolloyFrank-7818 commented

@MolloyFrank-7818
Thank you for your post!

Similar to a role assignment within IAM, you can leverage the Deny assignment feature. This feature attaches a set of deny actions to a user, group, or service principal at a particular scope for the purpose of denying access. Deny assignments block users from performing specific Azure resource actions even if a role assignment grants them access.

98391-image.png

As of right now, Azure Blueprints and Azure managed apps are the only way that deny assignments can be created. You can't directly create your own deny assignments. For more information see Understand resource locking in Azure Blueprints.


If this feature doesn't meet your requirements, I'd recommend providing feedback/creating a feature request within our User Voice forum so our engineering team can take a closer look into implementing this.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (144.1 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MolloyFrank-7818
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·

Hi James,

So technically there's no way to block guest accounts from being added to and IAM role in subscription beyond using the Deny Assignment?
Reading about the Deny Assignment, that is applied using Blueprints, but in order to use that method it would only apply to new resources?

Is there a way to alert when a guest account is added to an IAM role in a subscription?


thanks, Frank

0 Votes 0 ·

@MolloyFrank-7818
For Azure Blueprints it should apply to current resources as well.

I did some more research and you can try implementing a Deny Assignment for All Principals, and then exclude some principals from this deny assignment. I'd also recommend following our Best practices for Azure RBAC to only grant the access users need. For example, assigning RBAC roles, the pre-req is for users is to have the Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner.



If you have any other questions, please let me know.
Thank you for your time and patience!

0 Votes 0 ·

Thanks James, is good that can apply to current resources.

Deny meaning, it denies to everyone except the ones we want to have access to it?
It seems like a good idea for something which has limited access to begin with but sounds difficult to implement when there a lot of users and groups which have access?

It sounds like you're suggesting RBAC in that owners or administrators should know what type of access they are granting (or not granting) which could include not adding "guest" accounts to an IAM role?




0 Votes 0 ·