Is there any Azure policy can be in place which will restict users so that they Can NOT delete any of the Security groups in Azure? even if they can PIM up below roles:
- User Admin
- Privileged auth admin
- Application admin
- Conditional access admin
- Privillaged role admin
- Identity Governance admin
- Security Admin
Thanks.
3
Answers
You can try to use Azure Resources Lock which will protect your resources from accidental deletion, no matter the user permissions. Check this link for more details about Azure resource locks:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
• For now, no such policy can be applied that prevents security group deletion in Azure. But there is a way through which you can prevent security group deletion through assigned Azure AD roles in Azure. For this purpose, you will have to ensure that you don’t assign Azure AD built-in roles like ‘User Administrator, Privileged authentication administrator, etc.’ directly with the default assigned permissions to these roles to any of the user or a group of users in your Azure AD tenant.
Then,
create custom Azure AD roles according to your specific requirement with the required permissions only
as described in the documentation link as below: –https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create
• Once the custom required Azure PIM specific roles are created, then assign these PIM roles to the required users or a group of users as you deem correct. But do ensure that ‘microsoft.directory/groups/delete’ and ‘microsoft.directory/accessReviews/definitions.groups/delete’ permissions are not assigned to any of these custom PIM roles created and also bar from assigning the built-in Azure AD roles under Privileged Identity Management to any of the users, as these permissions only give the assigned role/user the rights to delete a security group.
In this way,
you can restrict the users of PIM and other custom roles or default roles, maybe for that matter, to prevent deleting any security groups in Azure
.Short answer is no, there is no such built-in policy. You would have to rely on custom RBAC roles instead of the built-in roles.
For example, you want to use the
NotAction
and add this action to itmicrosoft.directory/groups/delete
.https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference