Jul 30 2020 05:25 AM
This is my first project in Azure. Please avoid if any mistake. I have a user group "Azure Cross Team Contributors". I want to add it in resource group contributors by default whenever I create any resource group. I got to know there is policy, But not able to write policy rule. What would be policy rule for this scenario.
Jul 31 2020 02:55 AM
Hi @ashishnm,
Maybe i got it wrong, but you want this Group to be added as the "Standard" Admin Group for the Resources, right? Maybe you should take a look on Azure Management Groups, that might be a better and easier Solution and will offer you even more functionality.
To learn more about Management Groups, please take a look here:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
Kind Regards, Peter
Jul 31 2020 04:30 AM - edited Jul 31 2020 04:35 AM
Hi @ashishnm ,
It would help to get more details about your scenario, but based on what you wrote, I don't think there is a way how to write a custom policy that would assign a certain AAD group some role on a RG scope. Azure Policy is dealing with resources and its properties. Role assignment is not in its scope.
Depending what you are trying to achieve, you can either operate within a single subscription or across subscriptions. For the latter case, leveraging Management Groups (and assign e.g. a Contributor role for your AAD group) could make sense (as it was suggested by @Peter_Beckendorf ). Please keep in mind the inheritance principle, meaning that members of that group will have Contributor permissions in all subscriptions that are member of such Management Group.
If you work in a context of a single subscription, I am wondering why you don't use role assignment on that subscription level? Is it because you want to control when and what Resource Groups are being created?