ALZ is violating MS Defender policy about no custom roles

[andreashagensjolvsagt]

What happened? Provide a clear and concise description of the bug, including deployment details.

We are deploying v0.18 of ALZ and after activating MS Defender a policy named "Audit usage of custom RBAC roles" is being violated by custom roles deployed by ALZ Bicep. How do we mitigate this? Presumptuously it is not intended that we just silence this policy?

Please provide the correlation id associated with your error or bug.

No response

What was the expected outcome?

No response

Relevant log output

No response

Check previous GitHub issues

• [X] I have searched the issues for this item and found no duplicate

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[jtracey93]

Hey @andreashagensjolvsagt,

Thanks for raising this 👍

However, I don't think this one is a bug as such and we create custom roles for specific reasons in ALZ as documented here https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#built-in-roles

This is only a recommendation to "audit" these custom roles for suitability and applicability and usage, and in ALZs case we recommend these for certain personas/roles and therefore I think this is okay to exempt/exclude from.

[andreashagensjolvsagt]

Thanks for the feedback @jtracey93. Would you also have a recommendation as how to best exempt these policies? I can't see a way to target specific custom roles with the exemption besides creating an exemption for the whole policy at some scope, management group or subscription. Would you perhaps be able to provide a sample az command or similar that would create a specific exemption for these custom roles without giving a blanket allowance on any custom roles?

[jtracey93]

Hey @andreashagensjolvsagt a policy exemption is a child/extension resource of the scope/resource you want to exempt. So you can create an exemption for each of these roles as per the guidance here https://learn.microsoft.com/azure/governance/policy/concepts/exemption-structure & https://learn.microsoft.com/powershell/module/az.resources/new-azpolicyexemption?view=azps-12.0.0 (checkout the -Scope parameter to pass in the specific resource ID)

[andreashagensjolvsagt]

@jtracey93 Thanks for the reply.

As far as I can tell the scope of an exemption is a management group, subscription, resource group, etc; meaning granting an exemption to this policy would exempt all custom roles, not just ALZ's custom roles. Such a broad exemption negates the point of the policy in it's entirety.

I tried variations on the below command to set the exemption scope to the role directly, but that does not seem to be an option as Azure just rejects the request. Is this what you meant?

az policy exemption create \
  --name [EXEMPTION ID HERE] \
  --display-name '[alz] Subscription owner - Audit usage of custom RBAC roles' \
  --policy-assignment /providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring \
  --policy-definition-reference-ids useRbacRulesMonitoring \
  --scope /providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/roleDefinitions/[SUBSCRIPTION OWNER GUID HERE] \
  --exemption-category Waiver

[jtracey93]

this may be true as a role definition is an extension resource itself, so may be we have uncovered something thats unsupported.

Could you raise a support ticket for this and see if this can be looked into further, feel free to share the support ticket ID here and I can assist with adding context this side.

[Ballzer0]

@jtracey93 What would be the correct place to raise a support ticket for this issue? Im working on the same team as @andreashagensjolvsagt

[jtracey93]

Hey @Ballzer0, an azure support ticket via the Azure Portal 👍