Forum Discussion

ashishnm's avatar
ashishnm
Copper Contributor
Jul 30, 2020

Azure policy to auto add user group in resource group contributors

This is my first project in Azure. Please avoid if any mistake. I have a user group "Azure Cross Team Contributors". I want to add it in resource group contributors by default whenever I create any resource group. I got to know there is policy, But not able to write policy rule. What would be policy rule for this scenario.

  • pazdedav's avatar
    pazdedav
    Steel Contributor

    Hi ashishnm ,

     

    It would help to get more details about your scenario, but based on what you wrote, I don't think there is a way how to write a custom policy that would assign a certain AAD group some role on a RG scope. Azure Policy is dealing with resources and its properties. Role assignment is not in its scope.

     

    Depending what you are trying to achieve, you can either operate within a single subscription or across subscriptions. For the latter case, leveraging Management Groups (and assign e.g. a Contributor role for your AAD group) could make sense (as it was suggested by Peter_Beckendorf ). Please keep in mind the inheritance principle, meaning that members of that group will have Contributor permissions in all subscriptions that are member of such Management Group.

     

    If you work in a context of a single subscription, I am wondering why you don't use role assignment on that subscription level? Is it because you want to control when and what Resource Groups are being created?

    • if no, assigning a role for that group in your subscription is the easiest option, since this assignment will propagate to all existing any any new RGs
    • If yes, then doing role assignment for that group on a subscription level (or even MG-level) won't work for you, since the users (members of that group) will inherit permission to create RGs. In this case I would advise you to implement an event-driven automation solution that would:
      • subscribe to Event Log 'Create Resource Group' event, either by using Azure Monitor alerts (and action groups) or Event Grid subscription
      • process that event in either Azure Automation (runbook) or Azure Function (PowerShell) and do the role assignment for that newly created RG for your target AAD group
      • in this way, you keep control what RGs are being created while that team gets necessary permissions to work in new RGs.

     

Resources