This policy is no longer being updated.
This policy provides a report of all users with Owner or Contributor access to an Azure Subscription. Optionally, it emails this report.
- The Azure Resource Manager API is used to obtain a list of Azure Subscriptions, Azure Role Definitions, and Azure Role Assignments.
- The Microsoft Graph API is used to obtain a list of Microsoft users.
- The above datasets are mapped to each other to produce a list of users with Owner or Contributor access per Azure Subscription.
- Email Addresses - Email addresses of the recipients you wish to notify when new incidents are created.
- Azure Endpoint - The endpoint to send Azure Resource Manager API requests to. Recommended to leave this at default unless using this policy with Azure China.
- Microsoft Graph Endpoint - The endpoint to send Microsoft Graph API requests to. Recommended to leave this at default unless using this policy with Azure China.
- Roles - Whether to report on users that are subscription Owners, Contributors, or both.
- Allow/Deny Subscriptions - Determines whether the Allow/Deny Subscriptions List parameter functions as an allow list (only providing results for the listed subscriptions) or a deny list (providing results for all subscriptions except for the listed subscriptions).
- Allow/Deny Subscriptions List - A list of allowed or denied Subscription IDs/names. If empty, no filtering will occur and recommendations will be produced for all subscriptions.
- Sends an email notification
This Policy Template uses Credentials for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).
For administrators creating and managing credentials to use with this policy, the following information is needed:
-
Azure Resource Manager Credential (provider=azure_rm) which has the following permissions:
Microsoft.Authorization/roleDefinitions/readMicrosoft.Authorization/roleAssignments/read
-
Microsoft Graph Credential (provider=azure_graph) which has the following permissions:
User.Read.All
-
Flexera Credential (provider=flexera) which has the following roles:
billing_center_viewer
The Provider-Specific Credentials page in the docs has detailed instructions for setting up Credentials for the most common providers.
- Azure
This Policy Template does not incur any cloud costs.