Home > other >  How to restrict deletion of security group in Azure?
How to restrict deletion of security group in Azure?

Time:06-18

Is there any Azure policy can be in place which will restict users so that they Can NOT delete any of the Security groups in Azure? even if they can PIM up below roles:

  • User Admin
  • Privileged auth admin
  • Application admin
  • Conditional access admin
  • Privillaged role admin
  • Identity Governance admin
  • Security Admin

Thanks.

CodePudding user response:

• For now, no such policy can be applied that prevents security group deletion in Azure. But there is a way through which you can prevent security group deletion through assigned Azure AD roles in Azure. For this purpose, you will have to ensure that you don’t assign Azure AD built-in roles like ‘User Administrator, Privileged authentication administrator, etc.’ directly with the default assigned permissions to these roles to any of the user or a group of users in your Azure AD tenant.

Then, create custom Azure AD roles according to your specific requirement with the required permissions only as described in the documentation link as below: -

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-create

• Once the custom required Azure PIM specific roles are created, then assign these PIM roles to the required users or a group of users as you deem correct. But do ensure that ‘microsoft.directory/groups/delete’ and ‘microsoft.directory/accessReviews/definitions.groups/delete’ permissions are not assigned to any of these custom PIM roles created and also bar from assigning the built-in Azure AD roles under Privileged Identity Management to any of the users, as these permissions only give the assigned role/user the rights to delete a security group.

In this way, you can restrict the users of PIM and other custom roles or default roles, maybe for that matter, to prevent deleting any security groups in Azure.

CodePudding user response:

You can try to use Azure Resources Lock which will protect your resources from accidental deletion, no matter the user permissions. Check this link for more details about Azure resource locks:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json

  • Related