Nested ARM Template from Resource Group to Management Group

Question

I'm trying to create an Resource Group based ARM/Bicep template that will use a nested template to create a policy at the management group level. In bicep it will not allow you to scope from the resource group to the management group. However, it will allow you to scope from the resource group to the tenant. So, to go from the resource group to management group, I need to create a nested deployment to the tenant, then inside that create another nested deployment to the management group. The issue with this approach is it requires owner permissions on at the tenant level, defeating the purpose of management groups. I tried to manually create a nested deployment in ARM but when I deploy the template it fails with the code BadRequest and no message. Unfortunately, since this will be a managed app, the main template needs to be scope to the resource group. Is it possible to nest from the resource group to the management group?

{
    "type": "Microsoft.Resources/deployments",
    "apiVersion": "2021-04-01",
    "name": "MGPolicy",
    "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroup'))]",
    "properties": {
      "expressionEvaluationOptions": {
        "scope": "inner"
      },
      "mode": "Incremental",
      "parameters": {
        "location": {
          "value": "[parameters('location')]"
        },
        "targetMG": {
          "value": "[parameters('managementGroup')]"
        }
      },
      "template": {
        "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        The rest of the policy deployment template

Answer 1

@Matthew Dowst Here is a sample nested template which I have tested based on the requirement you have.

{  
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
    "contentVersion": "1.0.0.0",  
    "parameters": {  
    },  
    "resources": [  
        {  
            "type": "Microsoft.Resources/deployments",  
            "apiVersion": "2021-04-01",  
            "name": "nestedTemplate1",  
            "location": "East US",  
            "properties": {  
                "mode": "Incremental",  
                "expressionEvaluationOptions": {  
                    "scope": "inner"  
                },  
                "template": {  
                    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",  
                    "contentVersion": "1.0.0.0",  
                    "variables": {  
                        "policyName": "restrict-allowed-locations-policy"  
                    },  
                    "parameters": {  
                    },  
                    "resources": [  
                        {  
                            "type": "Microsoft.Authorization/policyDefinitions",  
                            "name": "[variables('policyName')]",  
                            "apiVersion": "2019-09-01",  
  
                            "properties": {  
                                "displayName": "Allowed locations",  
                                "policyType": "Custom",  
                                "mode": "Indexed",  
                                "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",  
                                "metadata": {  
                                    "version": "1.0.0",  
                                    "category": "General"  
                                },  
                                "parameters": {  
                                    "listOfAllowedLocations": {  
                                        "type": "Array",  
                                        "metadata": {  
                                            "description": "The list of locations that can be specified when deploying resources.",  
                                            "strongType": "location",  
                                            "displayName": "Allowed locations"  
                                        }  
                                    }  
                                },  
                                "policyRule": {  
                                    "if": {  
                                        "allOf": [  
                                            {  
                                                "field": "location",  
                                                "notIn": "[[parameters('listOfAllowedLocations')]"  
                                            },  
                                            {  
                                                "field": "location",  
                                                "notEquals": "global"  
                                            },  
                                            {  
                                                "field": "type",  
                                                "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"  
                                            }  
                                        ]  
                                    },  
                                    "then": {  
                                        "effect": "deny"  
                                    }  
                                }  
  
                            }  
                        }  
                    ]  
                }  
            }  
        }  
    ],  
    "outputs": {  
    }  
}  

I have used below command to deploy above template. Do check if it helps.

az deployment mg create --name rt --management-group-id 349072 --template-file azure-deploy.json --location WestEurope