Microsoft Azure Filtering

This document covers the various ways fine-grained just-in-time access for Microsoft Azure can be configured by using P0's access policies.

Filtering on subscription

Requests can be filtered at the level of an entire subscription by adding a filter based on the subscription's id

Rule structure:

resource:
  type: integration
  service: azure
  filters:
    subscription: {
      effect: keep|remove|removeAll
      key: <tag key>
      pattern: <regex pattern>
    }

Deny all requests to the subscription with id <subscription id>

resource:
  type: integration
  service: azure
  accessType: any
  filters:
    subscription: {effect: keep, key: id, pattern: <subscription id>}
approval:
  - type: deny

Filtering on resource

Requests can be filtered by details pertaining to the resource being requested. There are two available keys for resource filters, name and id .

Rule structure:

resource:
  type: integration
  service: azure
  filters:
    resource: {
      effect: keep|remove|removeAll
      key: name
      pattern: <regex pattern>
    }

Examples:

Auto-approve any requests for the resource with an id of /subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus

resource:
  type: integration
  service: azure
  filters:
    resource: {
      effect: keep, 
      key: id, 
      pattern: /subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus
    }    
  approval:
    - type: persistent

Auto-approve on-call requests for any resource except for the one named "sensitive-virtual-network"

resource:
  type: integration
  service: azure
  accessType: any
  filters:
    resource: {effect: remove, key: name, pattern: sensitive-virtual-network}
approval:
  - type: auto
    integration: pagerduty
    options: {}

Filtering on roles

Requests can be filtered by details pertaining to the role being requested. There are two available keys for resource filters, name and id .

Rule structure:

resource:
  type: integration
  service: azure
  filters:
    role: {
      effect: keep|remove|removeAll
      key: role
      pattern: <regex pattern>
    }

Examples:

Allow approvals of requests to the role named "P0 Developer Role" to be approved by users with the DevOpsManager profile property in Okta

resource:
  type: integration
  service: azure
  accessType: any
  filters:
    role: {effect: keep, key: name, pattern: P0 Developer Role}
approval:
  - type: requestor-profile
    directory: okta
    options: {}
    profileProperty: DevOpsManager

Allow requests to the role with id of /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16 to be approved by users defined in P0

resource:
  type: integration
  service: azure
  accessType: any
  filters:
    role: {
      effect: keep, 
      key: id, 
      pattern: /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16
    }
approval:
  - type: p0
    options: {}

PreviousAWS Filtering NextSSH Filtering

Last updated 4 days ago

hashtagFiltering on subscription

hashtagRule structure:

hashtagFiltering on resource

hashtagRule structure:

hashtagExamples:

hashtagFiltering on roles

hashtagRule structure:

hashtagExamples:

Filtering on subscription

Rule structure:

Filtering on resource

Rule structure:

Examples:

Filtering on roles

Rule structure:

Examples: