AzPolicyAdvertizer

last sync: 2020-Sep-29 13:46:04 UTC

Azure Policy

Custom subscription owner roles should not exist

Policy DisplayName Custom subscription owner roles should not exist

Policy Id 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9

Policy Category General

Policy Description This policy ensures that no custom subscription owner roles exist.

Policy Mode All

Policy Type BuiltIn

Policy in Preview FALSE

Policy Deprecated FALSE

Policy Effect Default: Audit
Allowed: (Audit,Disabled)

Roles used none

Policy Changes no changes

Used in Policy Initiative(s)

Initiative DisplayName	Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab

Policy Rule

{
  "properties": {
    "displayName": "Custom subscription owner roles should not exist",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy ensures that no custom subscription owner roles exist.",
    "metadata": {
      "version": "2.0.0",
      "category": "General"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Authorization/roleDefinitions"
          },
          {
            "field": "Microsoft.Authorization/roleDefinitions/type",
            "equals": "CustomRole"
          },
          {
            "anyOf": [
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
                  "notEquals": "*"
                }
              },
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
                  "notEquals": "*"
                }
              }
            ]
          },
          {
            "anyOf": [
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notIn": [
                  "[concat(subscription().id,'/')]",
                  "[subscription().id]",
                    "/"
                  ]
                }
              },
              {
                "not": {
                "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                  "notLike": "/providers/Microsoft.Management/*"
                }
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9"
}

Azure Policy

Custom subscription owner roles should not exist

Popular