1

Is there any Azure policy can be in place which will restict users so that they Can NOT delete any of the Security groups in Azure? even if they can PIM up below roles:

  • User Admin
  • Privileged auth admin
  • Application admin
  • Conditional access admin
  • Privillaged role admin
  • Identity Governance admin
  • Security Admin

Thanks.

AskMe
  • 2,495
  • 8
  • 49
  • 102
  • Hi @AskMe, did the suggested solution work for you? Do let me know if it solved your problem else share more details so I can troubleshoot or else do accept it for helping other community members. – Kartik Bhiwapurkar Jul 25 '22 at 04:27

3 Answers3

0

• For now, no such policy can be applied that prevents security group deletion in Azure. But there is a way through which you can prevent security group deletion through assigned Azure AD roles in Azure. For this purpose, you will have to ensure that you don’t assign Azure AD built-in roles like ‘User Administrator, Privileged authentication administrator, etc.’ directly with the default assigned permissions to these roles to any of the user or a group of users in your Azure AD tenant.

Then, create custom Azure AD roles according to your specific requirement with the required permissions only as described in the documentation link as below: -

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create

• Once the custom required Azure PIM specific roles are created, then assign these PIM roles to the required users or a group of users as you deem correct. But do ensure that ‘microsoft.directory/groups/delete’ and ‘microsoft.directory/accessReviews/definitions.groups/delete’ permissions are not assigned to any of these custom PIM roles created and also bar from assigning the built-in Azure AD roles under Privileged Identity Management to any of the users, as these permissions only give the assigned role/user the rights to delete a security group.

In this way, you can restrict the users of PIM and other custom roles or default roles, maybe for that matter, to prevent deleting any security groups in Azure.

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
0

Short answer is no, there is no such built-in policy. You would have to rely on custom RBAC roles instead of the built-in roles.

For example, you want to use the NotAction and add this action to it microsoft.directory/groups/delete.

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Niclas
  • 1,069
  • 4
  • 18
  • 33
-1

You can try to use Azure Resources Lock which will protect your resources from accidental deletion, no matter the user permissions. Check this link for more details about Azure resource locks:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

Ahmed Muhi
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jun 17 '22 at 07:57