Looking for a way to create Azure policy which denies based on policy rule, but does not deny, if you are an Owner on the policy assignment scope, or if the assignment scope is a specific AAD Group (Ideally a name wild card match)
Azure Policy Info: The working Policy is denying role assignments if the role definition id is not within the parameter values
The Desire:
Specific role definition id is denied on role assignment attempt, if it does not match the whitelist, however, role assignment attempts are NOT denied if you are an Owner on the scope, or if not possible, the assignment scope is an AAD Group name match of a wild card or regex
The issue: We have successfully denied all role assignments, if the role definition was not allowed in the Azure policy
We the admins are in turn now being blocked by policy, when attempting to assign custom roles that are not on the allowed role definitions list.
These custom roles not on the allowed list, are being assigned to AAD Groups
Not sure if we can create some kind of exclusion if you are an owner, or maybe for the aad group naming convention (customer-group-*)
Summary: We need this Azure policy to deny customers the ability to assign any RBAC role that does not match the role definition id on the allowed list, but us as the admins, who will have 'Owner' or 'Contributor' role, need to still be able to assign roles not on the allowed list.
I have not been able to stratify a solution via either Azure Policy or RBAC, to achieve this.
