Reputation: 1064
Deny the creation of a new management group at root level
I am trying to deny the creation of any additional management group at root level. I enabled the capability of management groups which created the "Tenant Root Group".
I created some more MGs under that one for my governance purposes but I do not want users to be able to create their own. Even without giving them any specific access, it looks that they can (even though it sounds weird to me). I double-checked in IAM panel, nothing specific is there.
Whats displayed in the Azure Portal is like this:
Root Tenant Group
|--- ManagementGroup1
|--- ManagementGroup2
|--- etc.
"Root Tenant Group" is the one that have been automatically created and that I am trying to lock now that I created my structure.
I wanted to go with an Azure Policy, but whenever I apply it to that Tenant Root Group, it does not prevent the creation of another management group. Actually it looks like in the ARM structure, they are not considered as children at all but as independent items. When I run the command az account management-group show --name MyTenantRootGroup it says "children" is null.
Still, my policy was the following:
"if": {
"source":"action",
"equals":"Microsoft.Management/managementGroups/write"
},
"then": {
"effect": "deny"
}
Is there any other way to do so ?
Upvotes: 0
Views: 204
Answers (1)
Related Questions
- Azure API management choose policy for restricting particular group
- Azure Management Group Deny all
- Azure policy - prevent the creation of app services without authentication
- Is There a Way to Block Adding Users to Azure Resources via Policy?
- How to restrict/deny access to a resource group for a specific user in azure?
- Azure Policy - ARM to exclude Resource Group
- Azure Policy weird behaviour while creating resource group without tag
- Azure Policy Deny :if one of the tag not present in the resource group name
- azure arm policy to deny resource group without tags
- Restrict users in accessing Resource Group using ARM Policies