Open audhage opened 4 years ago
When assigning policy initiatives containing policies with DeployIfNotExists actions through blueprints, role assignments are not included.
This works fine when assigning individual policies.
The policy documentation states that using command-line approaches to assigning policies, the role assignments must be assigned as a post policy assignment task. https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
This is something that is already handled in blueprints for individual policies, but it seems not so for initiatives.
Is this a bug, missing feature, or expected behavior?
This is a missing feature. The recommendation is to assign the policy initiative via ARM Template artifact and you can also do the role assignment in that template.
When assigning policy initiatives containing policies with DeployIfNotExists actions through blueprints, role assignments are not included.
This works fine when assigning individual policies.
The policy documentation states that using command-line approaches to assigning policies, the role assignments must be assigned as a post policy assignment task. https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
This is something that is already handled in blueprints for individual policies, but it seems not so for initiatives.
Is this a bug, missing feature, or expected behavior?