question

MatthewDowst-1545 avatar image
0 Votes"
MatthewDowst-1545 asked SwathiDhanwada-MSFT commented

Nested ARM Template from Resource Group to Management Group

I'm trying to create an Resource Group based ARM/Bicep template that will use a nested template to create a policy at the management group level. In bicep it will not allow you to scope from the resource group to the management group. However, it will allow you to scope from the resource group to the tenant. So, to go from the resource group to management group, I need to create a nested deployment to the tenant, then inside that create another nested deployment to the management group. The issue with this approach is it requires owner permissions on at the tenant level, defeating the purpose of management groups. I tried to manually create a nested deployment in ARM but when I deploy the template it fails with the code BadRequest and no message. Unfortunately, since this will be a managed app, the main template needs to be scope to the resource group. Is it possible to nest from the resource group to the management group?

 {
     "type": "Microsoft.Resources/deployments",
     "apiVersion": "2021-04-01",
     "name": "MGPolicy",
     "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroup'))]",
     "properties": {
       "expressionEvaluationOptions": {
         "scope": "inner"
       },
       "mode": "Incremental",
       "parameters": {
         "location": {
           "value": "[parameters('location')]"
         },
         "targetMG": {
           "value": "[parameters('managementGroup')]"
         }
       },
       "template": {
         "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
         "contentVersion": "1.0.0.0",
         The rest of the policy deployment template
azure-policyazure-dtl-arm-enviormentsazure-managed-applications
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT commented

@MatthewDowst-1545 Here is a sample nested template which I have tested based on the requirement you have. 

 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
     },
     "resources": [
         {
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2021-04-01",
             "name": "nestedTemplate1",
             "location": "East US",
             "properties": {
                 "mode": "Incremental",
                 "expressionEvaluationOptions": {
                     "scope": "inner"
                 },
                 "template": {
                     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
                     "contentVersion": "1.0.0.0",
                     "variables": {
                         "policyName": "restrict-allowed-locations-policy"
                     },
                     "parameters": {
                     },
                     "resources": [
                         {
                             "type": "Microsoft.Authorization/policyDefinitions",
                             "name": "[variables('policyName')]",
                             "apiVersion": "2019-09-01",
    
                             "properties": {
                                 "displayName": "Allowed locations",
                                 "policyType": "Custom",
                                 "mode": "Indexed",
                                 "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
                                 "metadata": {
                                     "version": "1.0.0",
                                     "category": "General"
                                 },
                                 "parameters": {
                                     "listOfAllowedLocations": {
                                         "type": "Array",
                                         "metadata": {
                                             "description": "The list of locations that can be specified when deploying resources.",
                                             "strongType": "location",
                                             "displayName": "Allowed locations"
                                         }
                                     }
                                 },
                                 "policyRule": {
                                     "if": {
                                         "allOf": [
                                             {
                                                 "field": "location",
                                                 "notIn": "[[parameters('listOfAllowedLocations')]"
                                             },
                                             {
                                                 "field": "location",
                                                 "notEquals": "global"
                                             },
                                             {
                                                 "field": "type",
                                                 "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
                                             }
                                         ]
                                     },
                                     "then": {
                                         "effect": "deny"
                                     }
                                 }
    
                             }
                         }
                     ]
                 }
             }
         }
     ],
     "outputs": {
     }
 }


I have used below command to deploy above template. Do check if it helps.

 az deployment mg create --name rt --management-group-id 349072 --template-file azure-deploy.json --location WestEurope
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MatthewDowst-1545 avatar image MatthewDowst-1545 ·

That works because you are deploying straight to the management group. I am trying to create a managed application that includes policies. The managed application deploys to the resource group. So, I can't use the mg switch or the New-AzManagementGroupDeployment cmdlet because I am deploying to the resource group. @SwathiDhanwada-MSFT

0 Votes 0 ·
SwathiDhanwada-MSFT avatar image SwathiDhanwada-MSFT MatthewDowst-1545 ·

@MatthewDowst-1545 Kindly try by setting the scope as / for management groups . Reference screenshot :
177724-image.png


0 Votes 0 ·
image.png (23.1 KiB)