Azure policy to auto add user group in resource group contributors

Hi ashishnm ,

It would help to get more details about your scenario, but based on what you wrote, I don't think there is a way how to write a custom policy that would assign a certain AAD group some role on a RG scope. Azure Policy is dealing with resources and its properties. Role assignment is not in its scope.

Depending what you are trying to achieve, you can either operate within a single subscription or across subscriptions. For the latter case, leveraging Management Groups (and assign e.g. a Contributor role for your AAD group) could make sense (as it was suggested by Peter_Beckendorf ). Please keep in mind the inheritance principle, meaning that members of that group will have Contributor permissions in all subscriptions that are member of such Management Group.

If you work in a context of a single subscription, I am wondering why you don't use role assignment on that subscription level? Is it because you want to control when and what Resource Groups are being created?

• if no, assigning a role for that group in your subscription is the easiest option, since this assignment will propagate to all existing any any new RGs
• If yes, then doing role assignment for that group on a subscription level (or even MG-level) won't work for you, since the users (members of that group) will inherit permission to create RGs. In this case I would advise you to implement an event-driven automation solution that would:
  • subscribe to Event Log 'Create Resource Group' event, either by using Azure Monitor alerts (and action groups) or Event Grid subscription
  • process that event in either Azure Automation (runbook) or Azure Function (PowerShell) and do the role assignment for that newly created RG for your target AAD group
  • in this way, you keep control what RGs are being created while that team gets necessary permissions to work in new RGs.