I know we can apply locks to the subscription level, but applying locks will prevent you from revoking the IAM role, so I would like to know if we can have a custom policy to avoid the deletion?
Asked
Active
Viewed 687 times
2 Answers
2
no, because deletion is allowed by granting an action called write over the resource\scope, so if you would create a policy that prohibits that, you would lose ability to edit resources, as there is no way for the you to specify deletes only.
locks are meant for that
4c74356b41
- 69,186
- 6
- 100
- 141
0
Microsoft now has a DenyAction for Azure Policy in preview. This means you can now setup a policy definition and assignments that will prevent deletion of the resources you specify regardless of the roles.
Here's also a link to the initial announcement in late December 2022.
fletchelg
- 1
- 2
-
I have also tried to create azure policy definition but its not allowing DenyAction. { "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/virtualNetworks/subnets" }, { "field": "name", "contains": "reserved" } ] }, then: { effect: 'DenyAction' details: { actionNames: ['Delete'] } } } } – PRAVEEN PDBR Jun 29 '23 at 11:18