Creating a Condition for RBAC in Azure with ARM Template

Mihir Raj Singh 120 Reputation points
2024-01-22T18:51:11.1533333+00:00

Hello, I am attempting to set up a condition in Azure role-based access control (RBAC) through an ARM template. Specifically, I would like to create a condition in which a certain group can only assign "Azure Service Bus Data Receiver" and "Azure Service Bus Data Sender" roles to service principals or groups. I came across this documentation (https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-template) but I am not sure what the logic should be for my specific scenario. In the key value value pair of "condition" : "

Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
72 questions
Azure Service Bus
Azure Service Bus
An Azure service that provides cloud messaging as a service and hybrid integration.
653 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
{count} votes

Accepted answer
  1. Luis Arias 7,766 Reputation points
    2024-01-24T10:04:03.7633333+00:00

    Hi Mihir Raj Singh, I created this arm template to deploy that you need, just its required to include the parameters required such us : group object id and the resource group where you want to apply it.

    {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "resourceGroupName": {
          "type": "string",
          "metadata": {
            "description": "Name of the resource group"
          },
          "defaultValue": "<Your resource group Name>"
        },
        "groupId": {
          "type": "string",
          "metadata": {
            "description": "The Azure AD group ID"
          },
          "defaultValue": "Your AD Object ID"
        }
      },
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2020-04-01-preview",
          "name": "[guid(parameters('groupId'), 'Security Admin')]",
          "properties": {
            "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]",
            "principalId": "[parameters('groupId')]",
            "scope": "[concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName'))]",
            "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {69a216fc-b8fb-44d8-bc22-1f3c2cd27a39, 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group', 'ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {69a216fc-b8fb-44d8-bc22-1f3c2cd27a39, 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group', 'ServicePrincipal'}))",
            "conditionVersion": "2.0"
          }
        }
      ]
    }
    
    

    With this template you can deploy an RBAC Administrator role to assign only the "Azure Service Bus Data Receiver" and "Azure Service Bus Data Sender" to Serviciprincipal and Groups. Let me know if you need any additional doubt. Cheers, Luis


    If the information helped address your question, please Accept the answer.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.