In Azure, users with the 'Owner' or 'Contributor' role assigned to a Subscription are able to rename it via the Portal. In order to enforce a consistent naming scheme, we would like to prevent subscription renames after they have been created.
This can be done with a custom RBAC role, but ideally we would like to avoid that. Can anyone suggest an alternative approach?
I had considered using an Azure Policy, and have tried the below:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Subscription/SubscriptionDefinitions"
},
{
"field": "Microsoft.Subscription/SubscriptionDefinitions/subscriptionDisplayName",
"exists": "true"
}
]
},
"then": {
"effect": "deny"
}
}
However, this seems to have no effect and a rename can still be carried out via the Portal or CLI.
Any help appreciated!
I've also done some research to prevent users changing the subscription name.
This requires controlling the action Microsoft.Subscription/rename/action, in which rename is the resource type, and action the action.
You would expect that you can block this action using a policy with effect DenyAction. However, this type of policy effect currently only allows actions named delete, and when you try to provide the action named as action above, the API denies such policy definition:
The policy definition 'MyCustomPolicyName' rule is invalid. The 'actionNames' field in 'denyAction' effect details must be an array with a single value of 'delete'.
This is also documented here in the introduction text of heading DenyAction.
Therefore, the only option left is to put the following action as a NotAction in a custom RBAC role and ensure that users are using that role.
Microsoft.Subscription/rename/action
I hope Azure will support more actions in the DenyAction effect soon.