Deny Azure Role Assignment with Azure Policy

Giving unplanned role to users or groups is one of the reasons that lead to a security breach. In this article, let’s just look at how we can use Azure Policy to prevent role assignment from being assigned to unattended target users and groups.

Use Case

There are use cases when you do want to control role assignment in your Azure cloud environment. For example, you want a specific user/group to have Owner role. Or you want specific custom RBAC to be granted to a custom group.

Deployment

In Azure Policy, there are different effect modes. The mode we are going to use is Deny. When creating or updating a matched resource in a Resource Manager mode, deny prevents the request before being sent to the Resource Provider.

When creating a policy assignment, you are to imitate a request to Azure using Microsoft.Authorization/roleAssignments resource provider. Also, there are two main aliases required:

  • Microsoft.Authorization/roleAssignments/roleDefinitionId: the role definition ID
  • Microsoft.Authorization/roleAssignments/principalId: the principal ID (object ID) of the target user or group the policy assignment is applied to.

So below is the sample rule to deny the role assignment request to Azure if the role assignment ID ea940f7f-9b62-43cf-8ef6-8c303283ac7d is NOT granted to principal ID 9f00fbdb-6771-4011-8f49-04d79adc0bb4 .

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleAssignments"
      },
      {
        "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
        "contains": "ea940f7f-9b62-43cf-8ef6-8c303283ac7d"
      },
      {
        "field": "Microsoft.Authorization/roleAssignments/principalId",
        "notEquals": "9f00fbdb-6771-4011-8f49-04d79adc0bb4"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

And here is the message you get if you grant the role definition to the different group.

You can use parameter too:

{
    "name": "deny-database-admin-role",
    "properties": {
      "displayName": "Ensure Database Admin role is assigned to Database Admin group",
      "description": "This policy is used to ensure Database Admin role is assigned to Database Admin group",
      "metadata": {
        "category": "IAM"
      },
      "mode": "All",
      "parameters": {
        "dBAdminRoleDefId": {
          "type": "string",
          "defaultValue": "7c3caeca-1234-482f-bb99-1c4000523fb5",
          "metadata": {
            "description": "Role Definition ID of Db Admin Role",
            "displayName": "Role Definition ID of Db Admin Role"
          }
        },
        "dbAdminGroupId": {
          "type": "string",
          "defaultValue": "76a59d8e-4aad-1234-a8aa-e4a3dd12csb5",
          "metadata": {
            "description": "ID of Database Admin group in AAD",
            "displayName": "ID of Database Admin group in AAD"
          }
        },
        "effect": {
          "type": "string",
          "metadata": {
            "displayName": "Effect",
            "description": "Effect of this Azure Policy - Audit, Deny or Disabled"
          },
          "allowedValues": ["Audit", "Deny", "Disabled"]
        }
      },
      "policyRule": {
        "if": {
          "anyOf": [
            {
              "allOf": [
                {
                  "field": "type",
                  "equals": "Microsoft.Authorization/roleAssignments"
                },
                {
                  "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
                  "contains": "[parameters('dBAdminRoleDefId')]"
                },
                {
                  "field": "Microsoft.Authorization/roleAssignments/principalId",
                  "notEquals": "[parameters('dbAdminGroupId')]"
                }
              ]
            }
          ]
        },
        "then": {
          "effect": "[parameters('effect')]"
        }
      }
    }
  }

Or ARM template:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "policyName": "deny-database-admin-role",
    "policyDisplayName": "Ensure Database Admin role is assigned to Database Admin group",
    "policyDescription": "This policy is used to ensure Database Admin role is assigned to Database Admin group",
    "metadata": "IAM"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "[variables('policyName')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "displayName": "[variables('policyDisplayName')]",
        "policyType": "Custom",
        "description": "[variables('policyDescription')]",
        "metadata": "[variables('metadata')]",
        "mode": "All",
        "parameters": {
          "dBAdminRoleDefId": {
            "type": "string",
            "defaultValue": "7c3caeca-1234-482f-bb99-1c4000523fb5",
            "metadata": {
              "description": "Role Definition ID of Db Admin Role",
              "displayName": "Role Definition ID of Db Admin Role"
            }
          },
          "dbAdminGroupId": {
            "type": "string",
            "defaultValue": "76a59d8e-4aad-1234-a8aa-e4a3dd12csb5",
            "metadata": {
              "description": "ID of Database Admin group in AAD",
              "displayName": "ID of Database Admin group in AAD"
            }
          },
          "effect": {
            "type": "string",
            "metadata": {
              "displayName": "Effect",
              "description": "Effect of this Azure Policy - Audit, Deny or Disabled"
            },
            "allowedValues": ["Audit", "Deny", "Disabled"]
          }
        },
        "policyRule": {
          "if": {
            "anyOf": [
              {
                "allOf": [
                  {
                    "field": "type",
                    "equals": "Microsoft.Authorization/roleAssignments"
                  },
                  {
                    "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
                    "contains": "[[parameters('dBAdminRoleDefId')]"
                  },
                  {
                    "field": "Microsoft.Authorization/roleAssignments/principalId",
                    "notEquals": "[[parameters('dbAdminGroupId')]"
                  }
                ]
              }
            ]
          },
          "then": {
            "effect": "[[parameters('effect')]"
          }
        }
      }
    }
  ]
}

To get role definition ID use the following PowerShell:

$name = "database-admin-role"
$role = Get-AzRoleDefinition -Name $name
$role.id

To get user or group AD you can use Get-AzADUser or Get-AzADGroup. Below is the sample for Group ID

$displayName = "database-admin-group"
$group = Get-AzADGroup -DisplayName $displayName
$group.Id

If you want to have multiple rules in one template, refer to this template

Reference

This entry was posted in Governance & Compliance and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *