Azure Subscription Access
What it does
This policy checks all users who have Owner or Contributor access to a given Azure subscription and creates an incident whenever that user list changes.
The policy leverages the Azure RBAC API to get all the users with the given role(s) on the given subscription. When the list of users that match the criteria changes, an incident is created and the details are reported via email.
- Azure Service Principal (AKA Azure Active Directory Application) with the appropriate permissions to manage resources in the target subscription
- The following RightScale Credentials
- Follow steps to Create an Azure Active Directory Application
- Grant the Azure AD Application access to the necessary subscription(s)
- Retrieve the Application ID & Authentication Key
- Create RightScale Credentials with values that match the Application ID (Credential name:
AZURE_APPLICATION_ID) & Authentication Key (Credential name:
- Retrieve your Tenant ID
- Email addresses of the recipients you wish to notify - A list of email addresses to notify
- Roles to report on - Can choose to report on Owner, Contributor, or Both
- Azure AD Tenant ID - the Azure AD Tenant ID used for the Azure API Authentication
- Azure Subscription ID - the Azure Subscription ID used for the Azure API Authentication
Required RightScale Roles
Azure Required Permissions
- Tenant > Microsoft Graph > Directory.Read.all
- Subscription > Reader
This Policy Template does not incur any cloud costs.