Creating a Custom Role for ARM to Restrict Deployment to Alerts and Action Groups

Question

Hi All,

We've a requirement to create a Service Principle which can,

1. read all resource details (including which all resources are available)
2. have deploy / write access only for all types of Alerts (Metrics, Scheduled query, Azure managed Prometheus etc.) and Action Groups

The Alert / Action groups are required to be created via ARM template or Terraform to store Monitoring as Code to maintain version control of monitoring requirements.

I have been trying to work this out, found two existing roles,

1. Read
2. Monitoring Contributor

But the 2nd one has limited to use Azure Monitor CLI and doesn't allow ARM template deployment. Hence below two access will have to be added:

"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/read"

But adding these will mean giving access to deploying any resource using ARM. To restrict that, we can add below in NotActions:
"Microsoft.Compute/",
"Microsoft.Storage/",
"Microsoft.Network/*",
"Microsoft.Resources/deployments/validate",
"Microsoft.Resources/deployments/cancel"

Final json would look like below, due to Org level restrictions it is difficult to create this role and test it. Hence looking forward an expert opinion from community, if it looks good and if there are any other suggestions.

Thank you for your help in advance.

{
  "Name": "custom-Monitoring-Contributor",
  "IsCustom": true,
  "Description": "Allows deployment of ARM templates for alerts and action groups only, with full monitoring read permissions.",
  "Actions": [
    "Microsoft.Resources/deployments/write",
    "Microsoft.Resources/deployments/read", 
    "Microsoft.Insights/metricAlerts/*",
    "Microsoft.Insights/scheduledQueryRules/*",
    "Microsoft.AlertsManagement/smartDetectorAlertRules/*",
    "Microsoft.Monitor/accounts/*",
    "Microsoft.Insights/actionGroups/*",
    "Microsoft.Insights/*",
    "Microsoft.Monitor/*",
    "Microsoft.AlertsManagement/*",
    "Microsoft.OperationalInsights/*",
    "*"
  ],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
   ],   
  "DataActions": [],
  "NotActions": [ 
    "Microsoft.Compute/*",
    "Microsoft.Storage/*",
    "Microsoft.Network/*",
    "Microsoft.Resources/deployments/validate",
    "Microsoft.Resources/deployments/cancel"
   ] 
}

Answer 1

Hi Ravi Parekh

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

To create a custom service principal in Azure for monitoring and alert management, you can set up a custom role with specific permissions. Your proposed JSON structure looks good, but let's make some improvements to ensure it follows best practices and meets your needs.

The actions listed allow the service principal to create and manage alerts and action groups, as well as deploy ARM templates for these resources. This ensures that it can read all necessary resource details without giving too many permissions.

By using NotActions, you prevent the service principal from deploying or changing other resource types like Compute, Storage, and Network. This helps you keep deployment capabilities limited.

Make sure to replace {subscription-id} with the real subscription ID where you will use this role.

If you have any further queries, do let us know.

---

If the answer is helpful, please click "Accept Answer" and "Upvote it".