Microsoft Azure Filtering
This document covers the various ways fine-grained just-in-time access for Microsoft Azure can be configured by using P0's Routing Rules.
Filtering on subscription
Requests can be filtered at the level of an entire subscription by adding a filter based on the subscription's id
Rule structure:
resource:
type: integration
service: azure
filters:
subscription: {
effect: keep|remove|removeAll
key: <tag key>
pattern: <regex pattern>
}Deny all requests to the subscription with id <subscription id>
resource:
type: integration
service: azure
accessType: any
filters:
subscription: {effect: keep, key: id, pattern: <subscription id>}
approval:
- type: denyFiltering on resource
Requests can be filtered by details pertaining to the resource being requested. There are two available keys for resource filters, name and id .
Rule structure:
Examples:
Auto-approve any requests for the resource with an id of /subscriptions/<subscription number>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus
Auto-approve on-call requests for any resource except for the one named "sensitive-virtual-network"
Filtering on roles
Requests can be filtered by details pertaining to the role being requested. There are two available keys for resource filters, name and id .
Rule structure:
Examples:
Allow approvals of requests to the role named "P0 Developer Role" to be approved by users with the DevOpsManager profile property in Okta
Allow requests to the role with id of /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16 to be approved by users defined in P0
Last updated