azure-policy
azure-policy copied to clipboard
Azure
Alias request for 'principalType' field in Microsoft.Authorization role schedule resources
Resource Provider: Microsoft.Authorization
Resource Type:
- roleAssignmentScheduleRequests
- roleAssignmentScheduleInstances
- roleEligibilityScheduleRequests
Field(s) requested:
- Microsoft.Authorization/roleAssignmentScheduleRequests/principalType
- Microsoft.Authorization/roleAssignmentScheduleInstances/principalType
- Microsoft.Authorization/roleEligibilityScheduleRequests/principalType
Reason:
We want to enforce role assignments only to groups, not to users, across all RBAC paths — including scheduled and eligible role assignments. Currently, principalType is only available on Microsoft.Authorization/roleAssignments, but not on these other related resource types.
This alias is critical for preventing direct role assignments to users through PIM or scheduled assignments.
Scenarios:
- Deny policy to block role assignments where
principalType == "User" - Allow only
principalType == "Group"orManagedIdentityorServicePrincipal
Example:
{
"field": "Microsoft.Authorization/roleAssignmentScheduleRequests/principalType",
"equals": "User"
}
