last sync: 2021-Jan-27 16:54:46 UTC

Azure Policy definition

Custom subscription owner roles should not exist

Name Custom subscription owner roles should not exist
Azure Portal
Id 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9
Version 2.0.0
details on versioning
Category General
Microsoft docs
Description This policy ensures that no custom subscription owner roles exist.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Disabled)
Used RBAC Role none
History none
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA
Json
{
  "properties": {
    "displayName": "Custom subscription owner roles should not exist",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that no custom subscription owner roles exist.",
    "metadata": {
      "version": "2.0.0",
      "category": "General"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleDefinitions"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "anyOf": [
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
                  "notEquals": "*"
                }
              },
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
                  "notEquals": "*"
                }
              }
            ]
          },
          {
            "anyOf": [
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notIn": [
                  "[concat(subscription().id,'/')]",
                  "[subscription().id]",
                    "/"
                  ]
                }
              },
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notLike": "/providers/Microsoft.Management/*"
                }
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"
}