last sync: 2020-Oct-23 19:29:54 UTC

Azure Policy

Allow managing tenant ids to onboard through Azure Lighthouse

Name Allow managing tenant ids to onboard through Azure Lighthouse
Id 7a8a51a3-ad87-4def-96f3-65a1839242b6
Version 1.0.1
details on versioning
Category Lighthouse
Description Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: deny
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-10-13 13:23:36 change Patch (1.0.0 > 1.0.1)
2020-09-30 14:32:32 add 7a8a51a3-ad87-4def-96f3-65a1839242b6
Used in Initiatives none
Json Changes

Json
{
  "properties": {
    "displayName": "Allow managing tenant ids to onboard through Azure Lighthouse",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources.",
    "metadata": {
      "version": "1.0.1",
      "category": "Lighthouse"
    },
    "parameters": {
      "listOfAllowedTenants": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed tenants",
          "description": "List of the tenants IDs that can be onboarded through Azure Lighthouse"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ManagedServices/registrationDefinitions"
          },
          {
            "not": {
              "field": "Microsoft.ManagedServices/registrationDefinitions/managedByTenantId",
            "in": "[parameters('listOfAllowedTenants')]"
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/7a8a51a3-ad87-4def-96f3-65a1839242b6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7a8a51a3-ad87-4def-96f3-65a1839242b6"
}