AzPolicyAdvertizer

last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Custom subscription owner roles should not exist

Name Custom subscription owner roles should not exist
Azure Portal

Id 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9

Version 2.0.0
details on versioning

Category General
Microsoft docs

Description This policy ensures that no custom subscription owner roles exist.

Mode All

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: Audit
Allowed: (Audit, Disabled)

Used RBAC Role none

History none

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Deprecated]: Azure Security Benchmark v2	bb522ac1-bc39-4957-b194-429bcd3bcb0b	Regulatory Compliance	Deprecated
CIS Microsoft Azure Foundations Benchmark v1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d	Regulatory Compliance	GA
CIS Microsoft Azure Foundations Benchmark v1.3.0	612b5213-9160-4969-8578-1518bd2a000c	Regulatory Compliance	GA
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA

JSON

{
  "displayName": "Custom subscription owner roles should not exist",
  "policyType": "BuiltIn",
  "mode": "All",
  "description": "This policy ensures that no custom subscription owner roles exist.",
  "metadata": {
    "version": "2.0.0",
    "category": "General"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleDefinitions"
        },
        {
          "field": "Microsoft.Authorization/roleDefinitions/type",
          "equals": "CustomRole"
        },
        {
          "anyOf": [
            {
              "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
                "notEquals": "*"
              }
            },
            {
              "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
                "notEquals": "*"
              }
            }
          ]
        },
        {
          "anyOf": [
            {
              "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                "notIn": [
                  "[concat(subscription().id,'/')]",
                  "[subscription().id]",
                  "/"
                ]
              }
            },
            {
              "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                "notLike": "/providers/Microsoft.Management/*"
              }
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}