Azure policy to auto add user group in resource group contributors

Copper Contributor

This is my first project in Azure. Please avoid if any mistake. I have a user group "Azure Cross Team Contributors". I want to add it in resource group contributors by default whenever I create any resource group. I got to know there is policy, But not able to write policy rule. What would be policy rule for this scenario.

2 Replies

Hi @ashishnm,

 

Maybe i got it wrong, but you want this Group to be added as the "Standard" Admin Group for the Resources, right? Maybe you should take a look on Azure Management Groups, that might be a better and easier Solution and will offer you even more functionality.

 

To learn more about Management Groups, please take a look here:

 

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview

 

Kind Regards, Peter 

Hi @ashishnm ,

 

It would help to get more details about your scenario, but based on what you wrote, I don't think there is a way how to write a custom policy that would assign a certain AAD group some role on a RG scope. Azure Policy is dealing with resources and its properties. Role assignment is not in its scope.

 

Depending what you are trying to achieve, you can either operate within a single subscription or across subscriptions. For the latter case, leveraging Management Groups (and assign e.g. a Contributor role for your AAD group) could make sense (as it was suggested by @Peter_Beckendorf ). Please keep in mind the inheritance principle, meaning that members of that group will have Contributor permissions in all subscriptions that are member of such Management Group.

 

If you work in a context of a single subscription, I am wondering why you don't use role assignment on that subscription level? Is it because you want to control when and what Resource Groups are being created?

  • if no, assigning a role for that group in your subscription is the easiest option, since this assignment will propagate to all existing any any new RGs
  • If yes, then doing role assignment for that group on a subscription level (or even MG-level) won't work for you, since the users (members of that group) will inherit permission to create RGs. In this case I would advise you to implement an event-driven automation solution that would:
    • subscribe to Event Log 'Create Resource Group' event, either by using Azure Monitor alerts (and action groups) or Event Grid subscription
    • process that event in either Azure Automation (runbook) or Azure Function (PowerShell) and do the role assignment for that newly created RG for your target AAD group
    • in this way, you keep control what RGs are being created while that team gets necessary permissions to work in new RGs.