# Microsoft Azure Filtering

### Filtering on subscription

Requests can be filtered at the level of an entire subscription by adding a filter based on the subscription's `id`

#### Rule structure:

```
resource:
  type: integration
  service: azure
  filters:
    subscription: {
      effect: keep|remove|removeAll
      key: <tag key>
      pattern: <regex pattern>
    }
```

Deny all requests to the subscription with id \<subscription id>

```
resource:
  type: integration
  service: azure
  accessType: any
  filters:
    subscription: {effect: keep, key: id, pattern: <subscription id>}
approval:
  - type: deny
```

### Filtering on resource

Requests can be filtered by details pertaining to the `resource` being requested. There are two available keys for `resource` filters, `name` and `id` .

#### Rule structure:

```
resource:
  type: integration
  service: azure
  filters:
    resource: {
      effect: keep|remove|removeAll
      key: name
      pattern: <regex pattern>
    }
```

#### Examples:

Auto-approve any requests for the resource with an `id` of `/subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus`

```
resource:
  type: integration
  service: azure
  filters:
    resource: {
      effect: keep, 
      key: id, 
      pattern: /subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus
    }    
  approval:
    - type: persistent
    
```

Auto-approve on-call requests for any resource except for the one named "sensitive-virtual-network"

<pre><code><strong>resource:
</strong>  type: integration
  service: azure
  accessType: any
  filters:
    resource: {effect: remove, key: name, pattern: sensitive-virtual-network}
approval:
  - type: auto
    integration: pagerduty
    options: {}
</code></pre>

### Filtering on roles

Requests can be filtered by details pertaining to the `role` being requested. There are two available keys for `resource` filters, `name` and `id` .

#### Rule structure:

```
resource:
  type: integration
  service: azure
  filters:
    role: {
      effect: keep|remove|removeAll
      key: role
      pattern: <regex pattern>
    }
```

#### Examples:

Allow approvals of requests to the `role` named "P0 Developer Role" to be approved by users with the DevOpsManager profile property in Okta

```
resource:
  type: integration
  service: azure
  accessType: any
  filters:
    role: {effect: keep, key: name, pattern: P0 Developer Role}
approval:
  - type: requestor-profile
    directory: okta
    options: {}
    profileProperty: DevOpsManager
```

Allow requests to the role with `id` of `/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16` to be approved by users defined in P0

```
resource:
  type: integration
  service: azure
  accessType: any
  filters:
    role: {
      effect: keep, 
      key: id, 
      pattern: /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16
    }
approval:
  - type: p0
    options: {}
```