How to limit user-assigned managed identities to a single team only

Thomas Yiu 0 Reputation points
2024-08-23T10:02:08.5433333+00:00

Hello,

I have an Azure tenant has several subscriptions (one per application). The security team needs certain permissions in each subscription (modification of Azure policies, etc.).

We thought about providing them with an SPN account for each subscription (with the appropriate rights). However, since we do not yet have the means to properly manage the security of these accounts (rotation, conditional access, etc.), we instead considered using user-assigned managed identities.

During testing, we noticed that developers/administrators were able to attach these identities to their services and use the associated permissions.

Is it possible to restrict who has the right to use these identities?

Many Thanks,

Regards,

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
791 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 10,111 Reputation points
    2024-08-23T17:25:31.7833333+00:00

    Hello Thomas Yiu,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to restrict who can use user-assigned managed identities in Azure.

    There is major two ways you can achieve this by Built-in RBAC Roles and Azure policy.

    1. You can use Azure built-in role-based access control (RBAC) roles, and you can grant permissions at the subscription or resource group level. Also, you can restrict which users or groups can attach these identities to their services. https://docs.microsoft.com/azure/role-based-access-control/built-in-roles
    2. Using Azure policy to prevent users from creating user-assigned managed identities is achievable when you Sign in to the Azure portal, navigate to "Policy," and create a policy definition with below similar rule: 
         {
      "mode": "All",
      "policyRule": {
          "if": {
              "field": "type",
              "equals": "Microsoft.ManagedIdentity/userAssignedIdentities"
          },
          "then": {
              "effect": "deny"
          }
      },
      "parameters": {}
   }
      https://video2.skills-academy.com/en-us/answers/questions/1923459/how-to-limit-user-assigned-managed-identities-to-a and https://video2.skills-academy.com/en-us/azure/governance/policy/concepts/definition-structure-basics

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.