Microsoft Azure Filtering

Filtering on subscription

Requests can be filtered at the level of an entire subscription by adding a filter based on the subscription's id

Rule structure:

resource:
  type: integration
  service: azure
  filters:
    subscription: {
      effect: keep|remove|removeAll
      key: <tag key>
      pattern: <regex pattern>
    }

Deny all requests to the subscription with id <subscription id>

resource:
  type: integration
  service: azure
  accessType: any
  filters:
    subscription: {effect: keep, key: id, pattern: <subscription id>}
approval:
  - type: deny

Filtering on resource

Requests can be filtered by details pertaining to the resource being requested. There are two available keys for resource filters, name and id .

Rule structure:

Examples:

Auto-approve any requests for the resource with an id of /subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus

Auto-approve on-call requests for any resource except for the one named "sensitive-virtual-network"

Filtering on roles

Requests can be filtered by details pertaining to the role being requested. There are two available keys for resource filters, name and id .

Rule structure:

Examples:

Allow approvals of requests to the role named "P0 Developer Role" to be approved by users with the DevOpsManager profile property in Okta

Allow requests to the role with id of /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16 to be approved by users defined in P0