Azure Management Group Deny all

Question

Sorry for this basic topic but I am pretty confused about azure Management Groups and policy.

I have a production subscription, on which I would like to deny all the manual creation of resource and allow only the creation the resource as code.

Which mean, if I try to create or change a resource from the portal, to get an error, but if I want to create the resource with terraform or bicep, to be able to do so with the terminal.

So what I did, in my Management Groups I added a child group and assigned the subscription. On the child group, I created the policy to deny all the Microsoft.* as follow:

{
 "mode": "All",
 "policyRule": {
   "if": {
     "field": "type",
     "like": "Microsoft.*"
  },
  "then": {
    "effect": "deny"
  }
 }
}

This works just fine, but how can I still be able to create resource with terraform or bicep using the terminal? Or maybe somebody can advice me on a better approach on how to solve this problem please?

Thank you very much

Does [this](https://github.com/MicrosoftDocs/azure-docs/issues/29092#issuecomment-481359711) help? — Bhargavi Annadevara, Oct 06 '21 at 07:45

score 1 · Answer 1 · answered Oct 29 '21 at 13:34

1

If you apply this policy, it will be valid for service principals as well.

A better approach would be to restrict the RBACs of users(like Reader) and use only a Service Principal to deploy resource to Azure. That's a more simple approach.

answered Oct 29 '21 at 13:34

MoonHorse

1,966
2
24
46

Azure Management Group Deny all

1 Answers1