skip to Main Content

Is there any Azure policy can be in place which will restict users so that they Can NOT delete any of the Security groups in Azure? even if they can PIM up below roles:

  • User Admin
  • Privileged auth admin
  • Application admin
  • Conditional access admin
  • Privillaged role admin
  • Identity Governance admin
  • Security Admin

Thanks.

3

Answers


  1. You can try to use Azure Resources Lock which will protect your resources from accidental deletion, no matter the user permissions. Check this link for more details about Azure resource locks:

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

    Login or Signup to reply.
  2. • For now, no such policy can be applied that prevents security group deletion in Azure. But there is a way through which you can prevent security group deletion through assigned Azure AD roles in Azure. For this purpose, you will have to ensure that you don’t assign Azure AD built-in roles like ‘User Administrator, Privileged authentication administrator, etc.’ directly with the default assigned permissions to these roles to any of the user or a group of users in your Azure AD tenant.

    Then, create custom Azure AD roles according to your specific requirement with the required permissions only as described in the documentation link as below: –

    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

    https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create

    • Once the custom required Azure PIM specific roles are created, then assign these PIM roles to the required users or a group of users as you deem correct. But do ensure that ‘microsoft.directory/groups/delete’ and ‘microsoft.directory/accessReviews/definitions.groups/delete’ permissions are not assigned to any of these custom PIM roles created and also bar from assigning the built-in Azure AD roles under Privileged Identity Management to any of the users, as these permissions only give the assigned role/user the rights to delete a security group.

    In this way, you can restrict the users of PIM and other custom roles or default roles, maybe for that matter, to prevent deleting any security groups in Azure.

    Login or Signup to reply.
  3. Short answer is no, there is no such built-in policy. You would have to rely on custom RBAC roles instead of the built-in roles.

    For example, you want to use the NotAction and add this action to it microsoft.directory/groups/delete.

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search