Azure IAM - is it possible to audit group memberships using Azure Policy?

Question

I want to first audit (and later enforce) that user names added to a specific AD Group follow certain naming convention. Is this achievable via Azure Policy? It would be straightforward to get such report through scripting, but in our case we want to see clear audit status with Azure policies and eventually prevent them from being added in the first place with Policy deny effect.

question from:https://stackoverflow.com/questions/66055674/azure-iam-is-it-possible-to-audit-group-memberships-using-azure-policy

Answer 1

No, I believe Azure Policy can only be used on the Azure Resource Manager scope. Azure AD objects like users and groups can't be managed using Azure Policy. So one way to think of it is that if you can deploy something with an ARM template, you can likely govern only those objects using Azure Policy.

The alternative to having nice audit reports for Azure AD stuff would be Azure AD Privileged Identity Management (PIM). It's pretty awesome but I don't think your use case around enforcing and auditing naming conventions of users is supported. Cheers!