I have written some automation (using az command line) that creates virtual machines for us.
However, since users have contributor access to the various subscriptions they login to the portal and create the vm's manually.
I would like to prevent the users from creating the vms by logging into the portal.
How do I leverage Azure Policy to enforce this ?
Asked
Active
Viewed 190 times
0
1 Answers
2
I tried to reproduce this scenario on my end and was able to restrict users with Contributor Role from creating VM via Portal.
I created one Policy Definition like below: -
"parameters": {},
"policyRule":
{
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"contains": "a8f97275-2685-41ce-a61d-dc550cd090f8"
}
]
},
"then":
{
"effect": "deny"
}
}
And assigned this policy at the subscription level: -
I have one user with Contributor role like below:
Now, when the user with Contributor role tried to create a VM, the VM creation was disallowed by the Policy like below:
Sridevi
- 10,599
- 1
- 4
- 17
SiddheshDesai
- 3,668
- 1
- 2
- 11
-
It would be great to know what all the values of "field" are; does it include something like "user has logged in via the portal" ? – souser Jan 04 '23 at 17:43
-
No, the **Field** values do not contain any information on user log in. If you're asking in context of the above policy, the Field value contains the Resource Provider `Microsoft.Compute` which has **virtual machine** and `Microsoft.Authorization` with the **role definition ID** of the user with contributor access – SiddheshDesai Jan 05 '23 at 04:58
-
If you want to know the values of **field** refer this [**MS document**](https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#fields). – SiddheshDesai Jan 05 '23 at 04:58