question

pallab avatar image
1 Vote"
pallab asked ·

What is the min IAM role required to create Azure Policy and Blueprint

I have contributor access to a subscription. But i am not able to create Azure Policy and assign it to a particular resource group under the subscription. What is the role i needed to be assigned to if i need to create an Azure Policy and apply it to a subscription or a management group level.

Thanks

azure-active-directoryazure-policy
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@pallab Below are the roles which are available by default for Azure Policy and Blueprint:

  1. Resource Policy Contributor: Can perform most Azure Policy operations.

  2. Blueprint Contributor: Can manage blueprint definitions, but not assign them.

  3. Blueprint Operator: Can assign existing published blueprints, but can't create new blueprint definitions. Blueprint assignment only works if the assignment is done with a user-assigned managed identity.

However, if you think that these roles have more permissions than what you need, you can create a custom role as explained here: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

The permissions that you would need to add under "Actions" section of the custom role are provided in below links:

You can add desired permissions that you want to assign to the users via custom role. You can also create a single role for both Azure Policy as well as for Blueprint.


Please "Accept as answer" wherever the information provided helps you to help others in the community.





· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.