0

I have Azure policy which works as expected in Audit mode but switching it to deny mode still allows resource to be created but marks it as Non-Compliant instead of denying resource creation. Policy is below which is effectively deny creation of custom Azure role with owner permission.

 "policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Authorization/roleDefinitions"
      },
      {
        "field": "Microsoft.Authorization/roleDefinitions/type",
        "equals": "CustomRole"
      },
      {
        "anyOf": [
          {
            "not": {
              "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
              "notEquals": "*"
            }
          },
          {
            "not": {
              "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
              "notEquals": "*"
            }
          }
        ]
      },
      {
        "anyOf": [
          {
            "not": {
              "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
              "notIn": [
                "[concat(subscription().id,'/')]",
                "[subscription().id]",
                "/"
              ]
            }
          },
          {
            "not": {
              "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
              "notLike": "/providers/Microsoft.Management/*"
            }
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

},

enter image description here

enter image description here

Gregory Suvalian
  • 3,566
  • 7
  • 37
  • 66

1 Answers1

0

The reason could be because some of these properties only appear and/or can be validated after the resource is created. Can you post the compliance reason details?

Kemley
  • 184
  • 5
  • Compliance reason is posted – Gregory Suvalian May 21 '20 at 20:07
  • The issue is in how you are writing the assignablescopes. Try replacing it with this "notIn": [ "concat(subscription().id,'/')", "subscription().id", "/" ] – Kemley May 21 '20 at 20:33
  • This is default policy from Azure Security Center. I did not write it specifically. Real question here is why Audit fails while still allowing to create it – Gregory Suvalian May 21 '20 at 20:36
  • The reason could be because that property looks different at creation time then post creation. But I do not have enough information to say that for certain. What is that built in definition? – Kemley Jun 04 '20 at 22:52