last sync: 2020-Jul-03 15:47:34 UTC

Azure Policy

Custom subscription owner roles should not exist

Policy DisplayName Custom subscription owner roles should not exist
Policy Id 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9
Policy Category General
Policy Description This policy ensures that no custom subscription owner roles exist.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: Audit
Allowed: (Audit,Disabled)
Roles used none
Policy Changes no changes
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab
Policy Rule
{
  "properties": {
    "displayName": "Custom subscription owner roles should not exist",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that no custom subscription owner roles exist.",
    "metadata": {
      "version": "2.0.0",
      "category": "General"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleDefinitions"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "anyOf": [
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
                  "notEquals": "*"
                }
              },
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
                  "notEquals": "*"
                }
              }
            ]
          },
          {
            "anyOf": [
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notIn": [
                  "[concat(subscription().id,'/')]",
                  "[subscription().id]",
                    "/"
                  ]
                }
              },
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notLike": "/providers/Microsoft.Management/*"
                }
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"
}