Can Azure Deployment Stacks be used to protect Budgets on Subscriptions?

Question

I'm trying to see if we can use a Deployment Stack on a ManagementGroup in Azure to protect a Budget on a Subscription from being modified and/or deleted by Contributors or Owners of the Subscription.

As of now I haven't succeeded despite playing around with denyWriteAndDelete and deny-settings-apply-to-child-scopes in the stack. Both IAM roles can even delete the Budget...

A small Bicep budget to used in the stack:

targetScope = 'subscription'

resource budget 'Microsoft.Consumption/budgets@2023-11-01' = {
  name: 'bg-bicep-budget1'
  properties: {
    category: 'Cost'
    amount: 100
    timeGrain: 'Monthly'
    timePeriod: {
      startDate: '2024-09-01T00:00:00Z'
      endDate: '2048-07-31T00:00:00Z'
    }
    notifications: {
        actual_GreaterThan_80_Percent: {
          enabled: true
          operator: 'GreaterThan'
          threshold: 80
          contactEmails: [
              'someone@somewhere'
          ]
          thresholdType: 'Actual'
      }      
    }
  }
}

Creating a Stack on a group, targeting a Subscription with the Budget:

az stack mg create `
--name 'test-001' `
--location 'swedencentral' `
--template-file 'budget1.bicep' `
--deployment-subscription '123456789654654'   `
--action-on-unmanage 'deleteResources'  `
--deny-settings-mode 'denyWriteAndDelete' `
--management-group-id 'stack-test-001' `
--deny-settings-excluded-principals '65469879879324654645654654' `
--deny-settings-apply-to-child-scopes

Sorry: No tags available for Bicep nor Deployment Stacks, Azure Blueprints was closest, but very wrong...

Answer 1

you need to use Azure policy along with Stack combination for the protect of budget and also avoid creation of subscriptions etc.

·  Define policies to limit the use of costly resources (e.g., restrict VM SKUs, limit Premium-tier services).

·  Apply policies at the subscription or resource group level.