Service Principal to create Resources on Azure

Question

I have a policy in place for my Subscription that does not allow for the creation of Resource Groups.

However, i have also put in place a Customer Role on the Subscription Level as an owner for the Service Principal which allows it to create RGs.

However, whenever i deploy my IAC via Azure DevOps, it fails still.

I am not sure where i am going wrong. I had a read at this, and the referenced links within but did not solve the issue.

Answer 1

You cannot exclude specific users with Azure Policy. Each and every ARM deployment will go through the Policy Engine and will be rejected if it doesn't meet the rule, regardless of who ran the action.

See Azure Policy and Azure RBAC : "Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change."

The link you provided mentions the use of Azure Blueprints and Deny Assignments - which are objects above unitary Policy and RBAC assignment. Basically a Blueprint is a combination of role assignments, policies, ARM templates and RGs - see Azure Blueprints overview.

To achieve what you want to do, you could exempt the Policy temporarily, use Blueprints or even make use of Custom Roles, amongst other ways, all depending on your use case.