> For the complete documentation index, see [llms.txt](https://docs.p0.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.p0.dev/access-management/just-in-time-access/request-routing/microsoft-azure-filtering.md).

# Microsoft Azure Filtering

### Filtering on subscription

Requests can be filtered at the level of an entire subscription by adding a filter based on the subscription's `id`

#### Rule structure:

```
resource:
  type: integration
  service: azure
  filters:
    subscription: {
      effect: keep|remove|removeAll
      key: id
      pattern: <regex pattern>
    }
```

Deny all requests to the subscription with id \<subscription id>

```
resource:
  type: integration
  service: azure
  accessType: any
  filters:
    subscription: {effect: keep, key: id, pattern: <subscription id>}
approval:
  - type: deny
```

### Filtering on resource

Requests can be filtered by details pertaining to the `resource` being requested. There are two available keys for `resource` filters, `name` and `id` .

#### Rule structure:

```
resource:
  type: integration
  service: azure
  filters:
    resource: {
      effect: keep|remove|removeAll
      key: name
      pattern: <regex pattern>
    }
```

#### Examples:

Auto-approve any requests for the resource with an `id` of `/subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus`

```
resource:
  type: integration
  service: azure
  filters:
    resource: {
      effect: keep, 
      key: id, 
      pattern: /subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus
    }
approval:
  - type: persistent
    
```

Auto-approve on-call requests for any resource except for the one named "sensitive-virtual-network"

<pre><code><strong>resource:
</strong>  type: integration
  service: azure
  accessType: any
  filters:
    resource: {effect: remove, key: name, pattern: sensitive-virtual-network}
approval:
  - type: auto
    integration: pagerduty
    options: {}
</code></pre>

### Filtering on roles

Requests can be filtered by details pertaining to the `role` being requested. There are two available keys for `role` filters, `name` and `id` .

#### Rule structure:

```
resource:
  type: integration
  service: azure
  filters:
    role: {
      effect: keep|remove|removeAll
      key: id | name
      pattern: <regex pattern>
    }
```

#### Examples:

Allow approvals of requests to the `role` named "P0 Developer Role" to be approved by users with the DevOpsManager profile property in Okta

```
resource:
  type: integration
  service: azure
  accessType: any
  filters:
    role: {effect: keep, key: name, pattern: P0 Developer Role}
approval:
  - type: requestor-profile
    directory: okta
    options: {}
    profileProperty: DevOpsManager
```

Allow requests to the role with `id` of `/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16` to be approved by users defined in P0

```
resource:
  type: integration
  service: azure
  accessType: any
  filters:
    role: {
      effect: keep, 
      key: id, 
      pattern: /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16
    }
approval:
  - type: p0
    options: {}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.p0.dev/access-management/just-in-time-access/request-routing/microsoft-azure-filtering.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.