question

vijie-3055 avatar image
0 Votes"
vijie-3055 asked jackchentoronto commented

Azure Blueprint for deny assignment

Can you share how to do achieve deny assignment using Azure Blueprints, couldnt find the example specifically for deny assignments. This is needed to disable inheritance.

azure-blueprints
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry @SwathiDhanwada-MSFT

I don't get what you mean in your answer.

I think the question is how to define "deny assignment" for resource access control. For example, if a user is granted owner role on subscription level, but I want to remove his owner role for a particular resource group under this subscription. Azure Portal states this can only be done by blueprint for now.

When I create a new blueprint, I only found how to assign user RBAC role for a resource group , not remove a role from a resource group.

I am not sure if "Automation Account variables should be encrypted." is related with the question ?



0 Votes 0 ·

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT edited

@vijje-3055 Here are the steps on how to achieve deny assignment using Azure Blueprints. To show deny assignment being added to Azure Blueprints, I will use existing built-in policy as an example.

A. Select All services in the left pane. Search for and select Blueprints.
B. Select Blueprint definitions from the page on the left and select the + Create blueprint button at the top of the page.

101973-image.png

C. Select Start with blank blueprint from the card at the top of the built-in blueprints list.
D. Provide a Blueprint name such as testblueprint. (Use up to 48 letters and numbers, but no spaces or special characters).

In the Definition location box, select the ellipsis on the right, select the management group or subscription where you want to save the blueprint, and choose Select.

101916-image.png

E. To add a policy assignment at the subscription level:

  • Select the + Add artifact row under the role assignment artifact.

  • Select Policy assignment for Artifact type.

  • Change Type to Built-in. In Search, enter Automation Account .

  • Change focus out of Search for the filtering to occur. Select Automation Account variables should be encrypted.

Select Add to add this artifact to the blueprint.

101943-image.png

F. Select the artifact and uncheck the "This value should be specified when the blueprint is assigned". Then Change the effect to "Deny"

101954-image.png

G. Click on Save Draft.


Note : To disable inheritance, it can be done by following this document or this document.



image.png (73.6 KiB)
image.png (91.7 KiB)
image.png (141.5 KiB)
image.png (95.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.