How can I discover all necessary permissions to use a Azure Policy with least privileges

Question

The Problem

Hey I working for a project that will implement azure policies to secure the platform. We have to follow the policies of our customer. One of this policies is, to use always the concept of least privileges.

If we take a look in the Policy Initiativ: "Configure Microsoft Defender for Cloud plans" (link to Azure, Link to Github ) we will see a bunch of policies they ignore this best practices and for more confusion, they will enable security features by adding weaknesses.

For example if we move into policy:
/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21
Link to Azure Link to Github
we can see this policy will add this role to a Managed Identity:

"roleDefinitionIds":   
   "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"

If we look up the ID in Azure Docu, we will find this is the ID of the Role Owner (Link Azure Docu).

This means, if you will enable defender for cloud at management group level, Azure is going to add a Managed Identity that have owner role on all subscriptions below.

Question:

1. What will happen if a user change the policy to a bad.
2. What will happen if a user make a mistake?

In my understanding a user they have permissions to edit policies have always the potential to do superuser thinks, if there are policies with roles like owner.

There are several more policies with this bad security decision:

My Question

We need to create customRoles and customPolicies to getting around this problem. Does anyone have any idea where I can find the really necessary permissions for each policy?

At this site you find the roles to enable Defender for Cloud but I need every permission (link).

Thanks for any idea.

I'm a little shocked about Microsofts security decisions.

Answer 1

Hi Christopher,

The managed identity of a deployIfNotExists or modify policy assignment needs enough permissions to create or update targeted resources. Without the required permissions, the policy remediation task will fail.

https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy

Every DINE and modify effect policy will have its own system managed identity created, and the roles needed for the identities will vary depending upon what action policy does.

To verify what role definition is needed, you can check the roledefinitionsIDs section of the policy json of the built-in policy definitions.

https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-policy-definition

"details": {

...

"roleDefinitionIds": [

    "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",

    "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"

]
```}For custom policy with DINE or modify effect, you need to add the roledefinitionsIDs  based on minimum role that would be needed to perform the action that policy is going to do while remediating the resources.

You can check more about the roles/permissions needed for any action here: [https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) and based on that action matching with the policy remediation operations, you can either use built-in role or create custom role for roledefinitionIDs that are used in the policy for managed identity.